"Fossies" - the Fresh Open Source Software Archive

Member "neon-0.31.2/test/ssl.c" (20 Jun 2020, 56370 Bytes) of package /linux/www/neon-0.31.2.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "ssl.c": 0.31.1_vs_0.31.2.

    1 /* 
    2    neon test suite
    3    Copyright (C) 2002-2009, Joe Orton <joe@manyfish.co.uk>
    4 
    5    This program is free software; you can redistribute it and/or modify
    6    it under the terms of the GNU General Public License as published by
    7    the Free Software Foundation; either version 2 of the License, or
    8    (at your option) any later version.
    9   
   10    This program is distributed in the hope that it will be useful,
   11    but WITHOUT ANY WARRANTY; without even the implied warranty of
   12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   13    GNU General Public License for more details.
   14   
   15    You should have received a copy of the GNU General Public License
   16    along with this program; if not, write to the Free Software
   17    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
   18 
   19 */
   20 
   21 #include "config.h"
   22 
   23 #include <sys/types.h>
   24 
   25 #include <sys/stat.h>
   26 
   27 #ifdef HAVE_STDLIB_H
   28 #include <stdlib.h>
   29 #endif
   30 #ifdef HAVE_UNISTD_H
   31 #include <unistd.h>
   32 #endif
   33 
   34 #include "ne_request.h"
   35 #include "ne_socket.h"
   36 #include "ne_ssl.h"
   37 #include "ne_auth.h"
   38 
   39 #include "tests.h"
   40 #include "child.h"
   41 #include "utils.h"
   42 
   43 #ifndef NE_HAVE_SSL
   44 /* this file shouldn't be built if SSL is not enabled. */
   45 #error SSL not supported
   46 #endif
   47 
   48 #include "ne_pkcs11.h"
   49 
   50 #define SERVER_CERT "server.cert"
   51 #define CA2_SERVER_CERT "ca2server.pem"
   52 #define CA_CERT "ca/cert.pem"
   53 
   54 #define P12_PASSPHRASE "foobar"
   55 
   56 #define SERVER_DNAME "Neon QA Dept, Neon Hackers Ltd, " \
   57                      "Cambridge, Cambridgeshire, GB"
   58 #define CACERT_DNAME "Random Dept, Neosign, Oakland, California, US"
   59 
   60 static char *srcdir = ".";
   61 static char *server_key = NULL; 
   62 
   63 static ne_ssl_certificate *def_ca_cert = NULL, *def_server_cert;
   64 static ne_ssl_client_cert *def_cli_cert;
   65 
   66 static char *nul_cn_fn;
   67 
   68 static int check_dname(const ne_ssl_dname *dn, const char *expected,
   69                        const char *which);
   70 
   71 /* Arguments for running the SSL server */
   72 struct ssl_server_args {
   73     char *cert; /* the server cert to present. */
   74     const char *response; /* the response to send. */
   75     int numreqs; /* number of request/responses to handle over the SSL connection. */
   76 
   77     /* client cert handling: */
   78     int require_cc; /* require a client cert if non-NULL */
   79     const char *ca_list; /* file of CA certs to verify client cert against */
   80     int fail_silently; /* exit with success if handshake fails */
   81     
   82     /* session caching: */
   83     int cache; /* use the session cache if non-zero */
   84     struct ssl_session {
   85         unsigned char id[128];
   86         size_t len;
   87     } session;
   88     int count; /* internal use. */
   89 
   90     int use_ssl2; /* force use of SSLv2 only */
   91 
   92     const char *key;
   93 };
   94 
   95 /* default response string if args->response is NULL */
   96 #define DEF_RESP "HTTP/1.0 200 OK\r\nContent-Length: 0\r\n\r\n"
   97 
   98 /* An SSL server inna bun. */
   99 static int ssl_server(ne_socket *sock, void *userdata)
  100 {
  101     struct ssl_server_args *args = userdata;
  102     int ret;
  103     char buf[BUFSIZ];
  104     const char *key;
  105     static ne_ssl_context *ctx = NULL;
  106 
  107     if (ctx == NULL) {
  108         ctx = ne_ssl_context_create(args->use_ssl2 ? NE_SSL_CTX_SERVERv2
  109                                     : NE_SSL_CTX_SERVER);
  110     }
  111 
  112     ONV(ctx == NULL, ("could not create SSL context"));
  113 
  114     key = args->key ? args->key : server_key;
  115     NE_DEBUG(NE_DBG_HTTP, "SSL server init with keypair (%s, %s).\n",
  116              args->cert, key);
  117              
  118     ONV(ne_ssl_context_keypair(ctx, args->cert, key),
  119         ("failed to load server keypair: ..."));
  120 
  121     if (args->require_cc && !args->ca_list) {
  122         args->ca_list = CA_CERT;
  123     }
  124 
  125     ne_ssl_context_set_verify(ctx, args->require_cc, 
  126                               args->ca_list, args->ca_list);
  127 
  128     ret = ne_sock_accept_ssl(sock, ctx);
  129     if (ret && args->fail_silently) {
  130         return 0;
  131     }
  132     ONV(ret, ("SSL accept failed: %s", ne_sock_error(sock)));
  133 
  134     args->count++;
  135 
  136     /* loop handling requests: */
  137     do {
  138         const char *response = args->response ? args->response : DEF_RESP;
  139 
  140         ret = ne_sock_read(sock, buf, BUFSIZ - 1);
  141         if (ret == NE_SOCK_CLOSED)
  142             return 0; /* connection closed by parent; give up. */
  143         ONV(ret < 0, ("SSL read failed (%d): %s", ret, 
  144                       ne_sock_error(sock)));
  145         
  146         buf[ret] = '\0';
  147         
  148         NE_DEBUG(NE_DBG_HTTP, "Request over SSL was: [%s]\n", buf);
  149         
  150         if (strstr(buf, "Proxy-Authorization:") != NULL) {
  151             NE_DEBUG(NE_DBG_HTTP, "Got Proxy-Auth header over SSL!\n");
  152             response = "HTTP/1.1 500 Client Leaks Credentials\r\n"
  153                 "Content-Length: 0\r\n" "\r\n";
  154         }
  155         
  156         ONV(ne_sock_fullwrite(sock, response, strlen(response)),
  157             ("SSL write failed: %s", ne_sock_error(sock)));
  158         
  159     } while (--args->numreqs > 0);
  160 
  161 
  162     if (args->cache) {
  163         unsigned char sessid[128];
  164         size_t len = sizeof sessid;
  165 
  166         ONN("could not retrieve session ID",
  167             ne_sock_sessid(sock, sessid, &len));
  168         
  169 #ifdef NE_DEBUGGING
  170         {
  171             char *b64 = ne_base64(sessid, len);
  172             NE_DEBUG(NE_DBG_SSL, "Session id retrieved (%d): [%s]\n", 
  173                      args->count, b64);
  174             ne_free(b64);
  175         }
  176 #endif
  177         
  178         if (args->count == 1) {
  179             /* save the session. */
  180             memcpy(args->session.id, sessid, len);
  181             args->session.len = len;
  182         } else {
  183             /* Compare with stored session. */
  184             ONN("cached session not used", 
  185                 args->session.len != len
  186                 || memcmp(args->session.id, sessid, len));
  187         }
  188     }   
  189     
  190     return 0;
  191 }
  192 
  193 /* serve_ssl wrapper which ignores server failure and always succeeds */
  194 static int fail_serve(ne_socket *sock, void *ud)
  195 {
  196     struct ssl_server_args args = {0};
  197     args.cert = ud;
  198     ssl_server(sock, &args);
  199     return OK;
  200 }
  201 
  202 #define DEFSESS  (ne_session_create("https", "localhost", 7777))
  203 
  204 static int make_ssl_session_port(ne_session **sess,
  205                                  const char *hostname, int port,
  206                                  server_fn fn, void *userdata)
  207 {
  208     return fakeproxied_session_server(sess, "https", hostname, port,
  209                                       fn, userdata);
  210 }
  211 
  212 static int make_ssl_session(ne_session **sess, const char *hostname,
  213                             server_fn fn, void *userdata)
  214 {
  215     return make_ssl_session_port(sess,
  216                                  hostname ? hostname : "localhost", 7777,
  217                                  fn, userdata);
  218 }
  219 
  220 static int load_and_trust_cert(ne_session *sess, const char *ca_cert)
  221 {
  222     ne_ssl_certificate *ca = ne_ssl_cert_read(ca_cert);
  223     ONV(ca == NULL, ("could not load CA cert `%s'", ca_cert));
  224     ne_ssl_trust_cert(sess, ca);
  225     ne_ssl_cert_free(ca);
  226     return OK;
  227 }
  228 
  229 static int make_ssl_request(struct ssl_server_args *args,
  230                             const char *ca_cert, const char *hostname,
  231                             ne_ssl_verify_fn verify_fn, void *verify_ud)
  232 {
  233     ne_session *sess;
  234     int ret;
  235 
  236     CALL(make_ssl_session(&sess, hostname, ssl_server, args));
  237 
  238     if (ca_cert) CALL(load_and_trust_cert(sess, ca_cert));
  239     
  240     if (verify_fn) ne_ssl_set_verify(sess, verify_fn, verify_ud);
  241 
  242     ret = any_2xx_request(sess, "/foo");
  243     CALL(await_server());
  244     ne_session_destroy(sess);
  245     return ret;
  246 }
  247 
  248 /* Run a request in the given session. */
  249 static int any_ssl_request(ne_session *sess, server_fn fn, void *server_ud,
  250                char *ca_cert,
  251                ne_ssl_verify_fn verify_fn, void *verify_ud)
  252 {
  253     int ret;
  254     
  255     if (ca_cert) {
  256         CALL(load_and_trust_cert(sess, ca_cert));
  257     }
  258 
  259     CALL(spawn_server(7777, fn, server_ud));
  260 
  261     if (verify_fn)
  262     ne_ssl_set_verify(sess, verify_fn, verify_ud);
  263 
  264     ret = any_request(sess, "/foo");
  265 
  266     CALL(await_server());
  267     
  268     ONREQ(ret);
  269 
  270     return OK;
  271 }
  272 
  273 static int init(void)
  274 {
  275     /* take srcdir as argv[1] for VPATH builds. */
  276     if (test_argc > 1) {
  277         srcdir = test_argv[1];
  278     }
  279         
  280     /* take srcdir as argv[1]. */
  281     server_key = "server.key";
  282     
  283     if (ne_sock_init()) {
  284     t_context("could not initialize socket/SSL library.");
  285     return FAILHARD;
  286     }
  287 
  288     def_ca_cert = ne_ssl_cert_read(CA_CERT);
  289     if (def_ca_cert == NULL) {
  290         t_context("couldn't load CA cert %s", CA_CERT);
  291         return FAILHARD;
  292     }
  293 
  294     def_server_cert = ne_ssl_cert_read(SERVER_CERT);
  295     if (def_server_cert == NULL) {
  296         t_context("couldn't load server cert %s", SERVER_CERT);
  297         return FAILHARD;
  298     }
  299     
  300     /* tests for the encrypted client cert, client.p12 */
  301     def_cli_cert = ne_ssl_clicert_read("client.p12");
  302     if (def_cli_cert == NULL) {
  303         t_context("could not load client.p12");
  304         return FAILHARD;
  305     }
  306 
  307     if (!ne_ssl_clicert_encrypted(def_cli_cert)) {
  308         ne_ssl_clicert_free(def_cli_cert);
  309         def_cli_cert = NULL;
  310         t_context("client.p12 is not encrypted!?");
  311         return FAIL;
  312     }
  313 
  314     if (ne_ssl_clicert_decrypt(def_cli_cert, P12_PASSPHRASE)) {
  315         ne_ssl_clicert_free(def_cli_cert);
  316         def_cli_cert = NULL;
  317         t_context("failed to decrypt client.p12");
  318         return FAIL;
  319     }
  320 
  321     nul_cn_fn = ne_concat(srcdir, "/nulcn.pem", NULL);
  322 
  323     return OK;
  324 }
  325 
  326 /* just check the result codes of loading server certs. */
  327 static int load_server_certs(void)
  328 {
  329     ne_ssl_certificate *cert;
  330 
  331     cert = ne_ssl_cert_read("Makefile");
  332     ONN("invalid CA cert file loaded successfully", cert != NULL);
  333 
  334     cert = ne_ssl_cert_read("nonesuch.pem");
  335     ONN("non-existent 'nonesuch.pem' loaded successfully", cert != NULL);
  336 
  337     cert = ne_ssl_cert_read("ssigned.pem");
  338     ONN("could not load ssigned.pem", cert == NULL);
  339     ne_ssl_cert_free(cert);
  340 
  341     return OK;
  342 }
  343 
  344 static int trust_default_ca(void)
  345 {
  346     ne_session *sess = DEFSESS;
  347     ne_ssl_trust_default_ca(sess);
  348     ne_session_destroy(sess);
  349     return OK;
  350 }
  351 
  352 #define CC_NAME "Just A Neon Client Cert"
  353 
  354 /* Tests for loading client certificates */
  355 static int load_client_cert(void)
  356 {
  357     ne_ssl_client_cert *cc;
  358     const ne_ssl_certificate *cert;
  359     const char *name;
  360 
  361     cc = ne_ssl_clicert_read("client.p12");
  362     ONN("could not load client.p12", cc == NULL);
  363     ONN("client.p12 not encrypted!?", !ne_ssl_clicert_encrypted(cc));
  364     name = ne_ssl_clicert_name(cc);
  365     if (name == NULL) {
  366         t_warning("no friendly name given");
  367     } else {
  368         ONV(strcmp(name, CC_NAME), ("friendly name was %s not %s", name, CC_NAME));
  369     }
  370     ONN("failed to decrypt", ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
  371     ne_ssl_clicert_free(cc);
  372 
  373     cc = ne_ssl_clicert_read("client.p12");
  374     ONN("decrypted client.p12 with incorrect password!?",
  375         ne_ssl_clicert_decrypt(cc, "barfoo") == 0);
  376     ne_ssl_clicert_free(cc);
  377 
  378     /* tests for the unencrypted client cert, client2.p12 */
  379     cc = ne_ssl_clicert_read("unclient.p12");
  380     ONN("could not load unencrypted cert unclient.p12", cc == NULL);
  381     ONN("unencrypted cert marked encrypted?", ne_ssl_clicert_encrypted(cc));
  382     cert = ne_ssl_clicert_owner(cc);
  383     ONN("client cert had no certificate", cert == NULL);
  384     CALL(check_dname(ne_ssl_cert_subject(cert),
  385                      "Neon Client Cert, Neon Hackers Ltd, "
  386                      "Cambridge, Cambridgeshire, GB",
  387                      "client cert subject"));
  388     CALL(check_dname(ne_ssl_cert_issuer(cert), CACERT_DNAME, 
  389                      "client cert issuer"));
  390     ne_ssl_clicert_free(cc);
  391 
  392     /* test for ccert without a friendly name, noclient.p12 */
  393     cc = ne_ssl_clicert_read("noclient.p12");
  394     ONN("could not load noclient.p12", cc == NULL);
  395     name = ne_ssl_clicert_name(cc);
  396     ONV(name != NULL, ("noclient.p12 had friendly name `%s'", name));
  397     ne_ssl_clicert_free(cc);
  398 
  399     /* test for ccert with a bundled CA. */
  400     cc = ne_ssl_clicert_read("clientca.p12");
  401     ONN("could not load clientca.p12", cc == NULL);
  402     ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc));
  403     ONN("could not decrypt clientca.p12", 
  404         ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
  405     ne_ssl_clicert_free(cc);
  406 
  407     /* test for ccert without a private key, nkclient.p12 */
  408     cc = ne_ssl_clicert_read("nkclient.p12");
  409     ONN("did not fail to load clicert without pkey", cc != NULL);
  410     
  411     /* test for ccert without a cert, ncclient.p12 */
  412     cc = ne_ssl_clicert_read("ncclient.p12");
  413     ONN("did not fail to load clicert without cert", cc != NULL);
  414 
  415     /* tests for loading bogus files. */
  416     cc = ne_ssl_clicert_read("Makefile");
  417     ONN("loaded Makefile as client cert!?", cc != NULL);
  418 
  419     /* test for loading nonexistent file. */
  420     cc = ne_ssl_clicert_read("nosuch.pem");
  421     ONN("loaded nonexistent file as client cert!?", cc != NULL);
  422 
  423     return OK;
  424 }
  425 
  426 static int clicert_import(void)
  427 {
  428     ne_ssl_client_cert *cc;
  429     ne_buffer *buf = ne_buffer_create();
  430 
  431     CALL(file_to_buffer("client.p12", buf));
  432 
  433     cc = ne_ssl_clicert_import((unsigned char *)buf->data, ne_buffer_size(buf));
  434     ONN("could not import client cert from buffer", cc == NULL);
  435     
  436     ONN("failed to decrypt", ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
  437     ne_ssl_clicert_free(cc);
  438     ne_buffer_destroy(buf);
  439 
  440     return OK;
  441 }
  442 
  443 /* Test that 'cert', which is signed by CA_CERT, is accepted
  444  * unconditionally. */
  445 static int accept_signed_cert_for_hostname(char *cert, const char *hostname)
  446 {
  447     struct ssl_server_args args = {cert, 0};
  448 
  449     /* no verify callback needed. */
  450     return make_ssl_request(&args, CA_CERT, hostname, NULL, NULL);
  451 }
  452 
  453 
  454 static int accept_signed_cert(char *cert)
  455 {
  456     return accept_signed_cert_for_hostname(cert, "localhost");
  457 }
  458 
  459 static int simple(void)
  460 {
  461     return accept_signed_cert(SERVER_CERT);
  462 }
  463 
  464 #if 0 /* No longer works for modern SSL libraries, rightly so. */
  465 /* Test for SSL operation when server uses SSLv2 */
  466 static int simple_sslv2(void)
  467 {
  468     ne_session *sess = ne_session_create("https", "localhost", 7777);
  469     struct ssl_server_args args = {SERVER_CERT, 0};
  470 
  471     args.use_ssl2 = 1;
  472     ne_set_session_flag(sess, NE_SESSFLAG_SSLv2, 1);
  473 
  474     if (ne_get_session_flag(sess, NE_SESSFLAG_SSLv2) != 1) {
  475         t_context("no SSLv2 support in SSL library");
  476         ne_session_destroy(sess);
  477         return SKIP;
  478     }
  479 
  480     CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
  481     ne_session_destroy(sess);
  482     return OK;
  483 }
  484 #endif
  485 
  486 /* Test read-til-EOF behaviour with SSL. */
  487 static int simple_eof(void)
  488 {
  489     struct ssl_server_args args = {SERVER_CERT, 0};
  490 
  491     args.response = "HTTP/1.0 200 OK\r\n"
  492         "Connection: close\r\n"
  493         "\r\n"
  494         "This is a response body, like it or not.";
  495 
  496     return make_ssl_request(&args, CA_CERT, NULL, NULL, NULL);
  497 }
  498 
  499 static int intermediary(void)
  500 {
  501     struct ssl_server_args args = {CA2_SERVER_CERT, 0};
  502 
  503     return make_ssl_request(&args, CA_CERT, NULL, NULL, NULL);
  504 }
  505 
  506 static int empty_truncated_eof(void)
  507 {
  508     struct ssl_server_args args = {0};
  509 
  510     args.cert = SERVER_CERT;
  511     args.response = "HTTP/1.0 200 OK\r\n" "\r\n";
  512     
  513     return make_ssl_request(&args, CA_CERT, NULL, NULL, NULL);
  514 }
  515 
  516 /* Server function which just sends a string then EOF. */
  517 static int just_serve_string(ne_socket *sock, void *userdata)
  518 {
  519     const char *str = userdata;
  520     server_send(sock, str, strlen(str));
  521     return 0;
  522 }
  523 
  524 /* test for the SSL negotiation failing. */
  525 static int fail_not_ssl(void)
  526 {
  527     ne_session *sess;
  528     int ret;
  529     
  530     CALL(make_ssl_session(&sess, NULL, just_serve_string, "Hello, world.\n"));
  531     ret = any_request(sess, "/bar");
  532     CALL(await_server());
  533 
  534     ONN("request did not fail", ret != NE_ERROR);
  535 
  536     ne_session_destroy(sess);
  537     return OK;
  538 }
  539 
  540 static int wildcard_match(void)
  541 {
  542     struct ssl_server_args args = {"wildcard.cert", 0};
  543 
  544     return make_ssl_request(&args, CA_CERT, "bar.example.com", NULL, NULL);
  545 }
  546 
  547 static int wildcard_match_altname(void)
  548 {
  549     struct ssl_server_args args = {"altname9.cert", 0};
  550 
  551     return make_ssl_request(&args, CA_CERT, "foo.example.com", NULL, NULL);
  552 }
  553 
  554 /* Check that hostname comparisons are not cases-sensitive. */
  555 static int caseless_match(void)
  556 {
  557     return accept_signed_cert("caseless.cert");
  558 }
  559 
  560 /* Test that the subjectAltName extension has precedence over the
  561  * commonName attribute */
  562 static int subject_altname(void)
  563 {
  564     return accept_signed_cert("altname1.cert");
  565 }
  566 
  567 /* tests for multiple altNames. */
  568 static int two_subject_altname(void)
  569 {
  570     return accept_signed_cert("altname2.cert");
  571 }
  572 
  573 static int two_subject_altname2(void)
  574 {
  575     return accept_signed_cert("altname3.cert");
  576 }
  577 
  578 /* Test that a subject altname with *only* an eMail entry is
  579  * ignored, and the commonName is used instead. */
  580 static int notdns_altname(void)
  581 {
  582     return accept_signed_cert("altname4.cert");
  583 }
  584 
  585 static int ipaddr_altname(void)
  586 {
  587     return accept_signed_cert_for_hostname("altname5.cert", "127.0.0.1");
  588 }
  589 
  590 static int uri_altname(void)
  591 {
  592     return accept_signed_cert_for_hostname("altname7.cert", "localhost");
  593 }
  594 
  595 /* test that the *most specific* commonName attribute is used. */
  596 static int multi_commonName(void)
  597 {
  598     return accept_signed_cert("twocn.cert");
  599 }
  600 
  601 /* regression test for neon <= 0.23.4 where if commonName was the first
  602  * RDN in the subject DN, it was ignored. */
  603 static int commonName_first(void)
  604 {
  605     return accept_signed_cert("cnfirst.cert");
  606 }
  607 
  608 static int check_dname(const ne_ssl_dname *dn, const char *expected,
  609                        const char *which)
  610 {
  611     char *dname;
  612 
  613     ONV(dn == NULL, ("certificate %s dname was NULL", which));
  614     
  615     dname = ne_ssl_readable_dname(dn);
  616 
  617     NE_DEBUG(NE_DBG_SSL, "Got dname `%s', expecting `%s'\n", dname, expected);
  618 
  619     ONV(strcmp(dname, expected), 
  620         ("certificate %s dname was `%s' not `%s'", which, dname, expected));
  621 
  622     ne_free(dname);
  623 
  624     return 0;
  625 }
  626 
  627 /* Check that the readable subject issuer dnames of 'cert' match
  628  * 'subject' and 'issuer' (if non-NULL). */
  629 static int check_cert_dnames(const ne_ssl_certificate *cert,
  630                              const char *subject, const char *issuer)
  631 {
  632     ONN("no server certificate presented", cert == NULL);
  633     CALL(check_dname(ne_ssl_cert_subject(cert), subject, "subject"));
  634     return issuer ? check_dname(ne_ssl_cert_issuer(cert), issuer, "issuer") : OK;
  635 }
  636 
  637 /* Verify callback which checks that the certificate presented has the
  638  * predetermined subject and issuer DN (as per makekeys.sh). */
  639 static int check_cert(void *userdata, int fs, const ne_ssl_certificate *cert)
  640 {
  641     int *ret = userdata;
  642 
  643     if (check_cert_dnames(cert, SERVER_DNAME, CACERT_DNAME) == FAIL)
  644         *ret = -1;
  645     else
  646         *ret = 1;
  647 
  648     return 0;
  649 }
  650 
  651 /* Check that certificate attributes are passed correctly. */
  652 static int parse_cert(void)
  653 {
  654     struct ssl_server_args args = {SERVER_CERT, 0};
  655     int ret = 0;
  656 
  657     /* don't give a CA cert; should force the verify callback to be
  658      * used. */
  659     CALL(make_ssl_request(&args, NULL, NULL, check_cert, &ret));
  660 
  661     ONN("cert verification never called", ret == 0);
  662 
  663     if (ret == -1)
  664     return FAIL;
  665 
  666     return OK;
  667 }
  668 
  669 #define WRONGCN_DNAME "Bad Hostname Department, Neon Hackers Ltd, " \
  670     "Cambridge, Cambridgeshire, GB"
  671 
  672 /* Check the certificate chain presented against known dnames. */
  673 static int check_chain(void *userdata, int fs, const ne_ssl_certificate *cert)
  674 {
  675     int *ret = userdata;
  676 
  677     if (check_cert_dnames(cert, WRONGCN_DNAME, CACERT_DNAME) == FAIL) {
  678         *ret = -1;
  679         return 0;
  680     }
  681     
  682     cert = ne_ssl_cert_signedby(cert);
  683     if (cert == NULL) {
  684         t_context("no CA cert in chain");
  685         *ret = -1;
  686         return 0;
  687     }
  688     
  689     if (check_cert_dnames(cert, CACERT_DNAME, CACERT_DNAME) == FAIL) {
  690         *ret = -1;
  691         return 0;
  692     }
  693     
  694     *ret = 1;
  695     return 0;
  696 }
  697 
  698 /* Check that certificate attributes are passed correctly. */
  699 static int parse_chain(void)
  700 {
  701     int ret = 0;
  702     struct ssl_server_args args = {"wrongcn.cert", 0};
  703 
  704     args.ca_list = CA_CERT;
  705 
  706     /* The cert is signed by the CA but has a CN mismatch, so will
  707      * force the verification callback to be invoked. */
  708     CALL(make_ssl_request(&args, CA_CERT, NULL, check_chain, &ret));
  709 
  710     ONN("cert verification never called", ret == 0);
  711 
  712     if (ret == -1)
  713     return FAIL;
  714 
  715     return OK;
  716 }
  717 
  718 
  719 static int count_vfy(void *userdata, int fs, const ne_ssl_certificate *c)
  720 {
  721     int *count = userdata;
  722     (*count)++;
  723     return 0;
  724 }
  725 
  726 static int no_verify(void)
  727 {
  728     int count = 0;
  729     struct ssl_server_args args = {SERVER_CERT, 0};
  730 
  731     CALL(make_ssl_request(&args, CA_CERT, NULL, count_vfy, &count));
  732 
  733     ONN("verify callback called unnecessarily", count != 0);
  734 
  735     return OK;
  736 }
  737 
  738 static int cache_verify(void)
  739 {
  740     ne_session *sess = DEFSESS;
  741     int count = 0;
  742     struct ssl_server_args args = {SERVER_CERT, 0};
  743     
  744     /* force verify cert. */
  745     CALL(any_ssl_request(sess, ssl_server, &args, NULL, count_vfy,
  746                          &count));
  747 
  748     CALL(spawn_server(7777, ssl_server, &args));
  749     ONREQ(any_request(sess, "/foo2"));
  750     CALL(await_server());
  751 
  752     ONV(count != 1,
  753     ("verify callback result not cached: called %d times", count));
  754 
  755     ne_session_destroy(sess);
  756 
  757     return OK;
  758 }
  759 
  760 /* Copy failures into *userdata, and fail verification. */
  761 static int get_failures(void *userdata, int fs, const ne_ssl_certificate *c)
  762 {
  763     int *out = userdata;
  764     *out = fs;
  765     return -1;
  766 }
  767 
  768 /* Helper function for expected-to-fail SSL tests.
  769  *
  770  * An SSL server is spawned using 'cert' and 'key' as the key pair.
  771  * The client will trust CA cert 'cacert', and use 'host' as the server
  772  * name.  If realhost is non-NULL, this address will be used to connect
  773  * to in favour of host; the server is otherwise identified as 'host'.
  774  * 'msg' must be a substring of the error string.
  775  * 'failures' must equal the failure bitmask passed to the verify
  776  * callback in the client.
  777  * If none of the expected conditions is met, 'errstr' will be
  778  * used in the test failure context.
  779  */
  780 static int fail_ssl_request_with_error2(char *cert, char *key, char *cacert, 
  781                                         const char *host, const char *realhost,
  782                                         const char *msg, int failures,
  783                                         const char *errstr)
  784 {
  785     ne_session *sess = ne_session_create("https", host, 7777);
  786     int gotf = 0, ret;
  787     struct ssl_server_args args = {0};
  788     ne_sock_addr *addr = NULL;
  789     const ne_inet_addr **list = NULL;
  790 
  791     if (realhost) {
  792         size_t n;
  793         const ne_inet_addr *ia;
  794 
  795         addr = ne_addr_resolve(realhost, 0);
  796 
  797         ONV(ne_addr_result(addr),
  798             ("fake hostname lookup failed for %s", realhost));
  799 
  800         NE_DEBUG(NE_DBG_SSL, "ssl: Using fake hostname '%s'\n", realhost);
  801 
  802         for (n = 0, ia = ne_addr_first(addr); ia; ia = ne_addr_next(addr))
  803             n++;
  804 
  805         NE_DEBUG(NE_DBG_SSL, "ssl: Address count '%lu'\n", n);
  806 
  807         list = ne_calloc(n * sizeof(*list));
  808 
  809         for (n = 0, ia = ne_addr_first(addr); ia; ia = ne_addr_next(addr))
  810             list[n++] = ia;
  811         
  812         ne_set_addrlist(sess, list, n);
  813     }
  814 
  815     args.cert = cert;
  816     args.key = key;
  817     args.fail_silently = 1;
  818     
  819     ret = any_ssl_request(sess, ssl_server, &args, cacert,
  820               get_failures, &gotf);
  821 
  822     ONV(gotf == 0,
  823     ("no error in verification callback; request rv %d error string: %s",
  824      ret, ne_get_error(sess)));
  825 
  826     ONV(gotf & ~NE_SSL_FAILMASK,
  827     ("verification flags %x outside mask %x", gotf, NE_SSL_FAILMASK));
  828 
  829     /* check the failure flags were as expected. */
  830     ONV(failures != gotf,
  831     ("verification flags were %d not %d", gotf, failures));
  832 
  833     /* and check that the request was failed too. */
  834     ONV(ret == NE_OK, ("%s", msg));
  835 
  836     ONV(errstr && strstr(ne_get_error(sess), errstr) == NULL,
  837         ("unexpected failure message '%s', wanted '%s'",
  838          ne_get_error(sess), errstr));
  839         
  840     ne_session_destroy(sess);
  841     if (addr) ne_addr_destroy(addr);
  842     if (list) ne_free(list);
  843 
  844     return OK;
  845 }
  846 
  847 /* Helper function: run a request using the given self-signed server
  848  * certificate, and expect the request to fail with the given
  849  * verification failure flags. */
  850 static int fail_ssl_request_with_error(char *cert, char *cacert, const char *host,
  851                                        const char *msg, int failures,
  852                                        const char *errstr)
  853 {
  854     return fail_ssl_request_with_error2(cert, NULL, cacert, host, NULL,
  855                                         msg, failures, errstr);
  856 }
  857 
  858 
  859 /* Helper function: run a request using the given self-signed server
  860  * certificate, and expect the request to fail with the given
  861  * verification failure flags. */
  862 static int fail_ssl_request(char *cert, char *cacert, const char *host,
  863                 const char *msg, int failures)
  864 {
  865     return fail_ssl_request_with_error(cert, cacert, host, msg, failures,
  866                                        NULL);
  867 }        
  868 
  869 /* Note that the certs used for fail_* are mostly self-signed, so the
  870  * cert is passed as CA cert and server cert to fail_ssl_request. */
  871 
  872 /* Check that a certificate with the incorrect commonName attribute is
  873  * flagged as such. */
  874 static int fail_wrongCN(void)
  875 {
  876     return fail_ssl_request_with_error("wrongcn.cert", "ca/cert.pem", "localhost",
  877                                        "certificate with incorrect CN was accepted",
  878                                        NE_SSL_IDMISMATCH,
  879                                        "certificate issued for a different hostname");
  880                             
  881 }
  882 
  883 #define SRCDIR(s) ne_concat(srcdir, "/" s, NULL)
  884 
  885 #ifndef HAVE_GNUTLS
  886 static int fail_nul_cn(void)
  887 {
  888     char *key = SRCDIR("nulsrv.key"), *ca = SRCDIR("nulca.pem");
  889     CALL(fail_ssl_request_with_error2(nul_cn_fn, key, ca,
  890                                       "www.bank.com", "localhost",
  891                                       "certificate with incorrect CN was accepted",
  892                                       NE_SSL_IDMISMATCH|NE_SSL_EXPIRED|NE_SSL_BADCHAIN,
  893                                       "certificate issued for a different hostname"));
  894     ne_free(key);
  895     ne_free(ca);
  896     return OK;
  897 }
  898 
  899 static int fail_nul_san(void)
  900 {
  901     char *cert = SRCDIR("nulsan.pem"), *key = SRCDIR("nulsrv.key"),
  902         *ca = SRCDIR("nulca.pem");
  903     CALL(fail_ssl_request_with_error2(cert, key, ca, 
  904                                       "www.bank.com", "localhost",
  905                                       "certificate with incorrect CN was accepted",
  906                                       NE_SSL_IDMISMATCH|NE_SSL_EXPIRED|NE_SSL_BADCHAIN,
  907                                       "certificate issued for a different hostname"));
  908     ne_free(cert);
  909     ne_free(key);
  910     ne_free(ca);
  911     return OK;
  912 }
  913 #endif
  914 
  915 /* Check that an expired certificate is flagged as such. */
  916 static int fail_expired(void)
  917 {
  918     return fail_ssl_request_with_error("expired.cert", CA_CERT,  "localhost",
  919                                        "expired certificate was accepted", 
  920                                        NE_SSL_EXPIRED,
  921                                        "certificate has expired");
  922 }
  923 
  924 static int fail_notvalid(void)
  925 {
  926     return fail_ssl_request_with_error("notyet.cert", CA_CERT,  "localhost",
  927                                        "not yet valid certificate was accepted",
  928                                        NE_SSL_NOTYETVALID,
  929                                        "certificate is not yet valid");
  930 }
  931 
  932 /* Check that a server cert with a random issuer and self-signed cert
  933  * fail with UNTRUSTED. */
  934 static int fail_untrusted_ca(void)
  935 {
  936     return fail_ssl_request_with_error("server.cert", NULL, "localhost",
  937                                        "untrusted CA.", NE_SSL_UNTRUSTED,
  938                                        "issuer is not trusted");
  939 }
  940 
  941 static int fail_self_signed(void)
  942 {
  943     return fail_ssl_request("ssigned.pem", NULL,  "localhost",
  944                             "self-signed cert", NE_SSL_UNTRUSTED);
  945 }
  946 
  947 /* Test for failure when a server cert is presented which has no
  948  * commonName (and no alt names either). */
  949 static int fail_missing_CN(void)
  950 {
  951     ne_session *sess = DEFSESS;
  952 
  953     ONN("accepted server cert with missing commonName",
  954         any_ssl_request(sess, fail_serve, "missingcn.cert", SERVER_CERT,
  955                         NULL, NULL) == NE_OK);
  956     
  957     ONV(strstr(ne_get_error(sess), "missing commonName") == NULL,
  958         ("unexpected session error `%s'", ne_get_error(sess)));
  959 
  960     ne_session_destroy(sess);
  961     return OK;
  962 }                            
  963 
  964 /* test for a bad ipAddress altname */
  965 static int fail_bad_ipaltname(void)
  966 {
  967     return fail_ssl_request("altname6.cert", CA_CERT, "127.0.0.1",
  968                             "bad IP altname cert", NE_SSL_IDMISMATCH);
  969 }
  970 
  971 /* test for a ipAddress which matched against the hostname as per neon
  972  * 0.24 behaviour. */
  973 static int fail_host_ipaltname(void)
  974 {
  975     return fail_ssl_request("altname5.cert", CA_CERT, "localhost",
  976                             "bad IP altname cert", NE_SSL_IDMISMATCH);
  977 }
  978 
  979 static int fail_bad_urialtname(void)
  980 {
  981     return fail_ssl_request("altname8.cert", CA_CERT, "localhost",
  982                             "bad URI altname cert", NE_SSL_IDMISMATCH);
  983 }
  984 
  985 static int fail_wildcard(void)
  986 {
  987     return fail_ssl_request("altname9.cert", CA_CERT, "localhost",
  988                             "subjaltname not honored", NE_SSL_IDMISMATCH);
  989 }
  990 
  991 static int fail_wildcard_ip(void)
  992 {
  993     return fail_ssl_request("wildip.cert", CA_CERT, "127.0.0.1",
  994                             "wildcard IP", NE_SSL_IDMISMATCH);
  995 }
  996 
  997 static int fail_ca_expired(void)
  998 {
  999     return fail_ssl_request_with_error("ca1server.cert", "ca1/cert.pem", 
 1000                                        "localhost", "issuer ca expired", 
 1001                                        NE_SSL_BADCHAIN,
 1002                                        "bad certificate chain");
 1003 }
 1004 
 1005 static int fail_ca_notyetvalid(void)
 1006 {
 1007     return fail_ssl_request("ca3server.cert", "ca3/cert.pem", "localhost",
 1008                             "issuer ca not yet valid", NE_SSL_BADCHAIN);
 1009 }
 1010 
 1011 #if 0
 1012 /* Test that the SSL session is cached across connections. */
 1013 static int session_cache(void)
 1014 {
 1015     struct ssl_server_args args = {0};
 1016     ne_session *sess;
 1017 
 1018     args.cert = SERVER_CERT;
 1019     args.cache = 1;
 1020 
 1021     CALL(multi_session_server(&sess, "https", "localhost",
 1022                               2, ssl_server, &args));
 1023 
 1024     ne_ssl_trust_cert(sess, def_ca_cert);
 1025 
 1026     ONREQ(any_request(sess, "/req1"));
 1027     ONREQ(any_request(sess, "/req2"));
 1028     ne_session_destroy(sess);
 1029 
 1030     return await_server();
 1031 }
 1032 #endif
 1033 
 1034 /* Callback for client_cert_provider; takes a c. cert as userdata and
 1035  * registers it. */
 1036 static void ccert_provider(void *userdata, ne_session *sess,
 1037                            const ne_ssl_dname *const *dns, int dncount)
 1038 {
 1039     const ne_ssl_client_cert *cc = userdata;
 1040     ne_ssl_set_clicert(sess, cc);
 1041 }
 1042 
 1043 /* Test that the on-demand client cert provider callback is used. */
 1044 static int client_cert_provided(void)
 1045 {
 1046     ne_session *sess = DEFSESS;
 1047     ne_ssl_client_cert *cc;
 1048     struct ssl_server_args args = {SERVER_CERT, NULL};
 1049 
 1050     args.require_cc = 1;
 1051 
 1052     cc = ne_ssl_clicert_read("client.p12");
 1053     ONN("could not load client.p12", cc == NULL);
 1054     ONN("could not decrypt client.p12", 
 1055         ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
 1056     
 1057     ne_ssl_provide_clicert(sess, ccert_provider, cc);
 1058     CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT,
 1059                          NULL, NULL));
 1060 
 1061     ne_session_destroy(sess);
 1062     ne_ssl_clicert_free(cc);
 1063     return OK;
 1064 }
 1065 
 1066 #define DN_COUNT 5
 1067 
 1068 static void cc_check_dnames(void *userdata, ne_session *sess,
 1069                             const ne_ssl_dname *const *dns, int dncount)
 1070 {
 1071     int n, *ret = userdata;
 1072     static const char *expected[DN_COUNT] = {
 1073         CACERT_DNAME,
 1074         "First Random CA, CAs Ltd., Lincoln, Lincolnshire, GB",
 1075         "Second Random CA, CAs Ltd., Falmouth, Cornwall, GB",
 1076         "Third Random CA, CAs Ltd., Ipswich, Suffolk, GB",
 1077         "Fourth Random CA, CAs Ltd., Norwich, Norfolk, GB"
 1078     };
 1079 
 1080     ne_ssl_set_clicert(sess, def_cli_cert);
 1081 
 1082     if (dncount != DN_COUNT) {
 1083         t_context("dname count was %d not %d", dncount, 
 1084                   DN_COUNT);
 1085         *ret = -1;
 1086         return;
 1087     }
 1088     
 1089     for (n = 0; n < DN_COUNT; n++) {
 1090         char which[5];
 1091 
 1092         sprintf(which, "%d", n);
 1093 
 1094         if (check_dname(dns[n], expected[n], which) == FAIL) {
 1095             *ret = -1;
 1096             return;
 1097         }
 1098     }
 1099 
 1100     *ret = 1;
 1101 }
 1102 
 1103 /* Test for the list of acceptable dnames sent to the client. */
 1104 static int cc_provided_dnames(void)
 1105 {
 1106     int check = 0;
 1107     ne_session *sess = DEFSESS;
 1108     struct ssl_server_args args = {SERVER_CERT, NULL};
 1109 
 1110     args.require_cc = 1;
 1111     args.ca_list = "calist.pem";
 1112 
 1113     PRECOND(def_cli_cert);
 1114 
 1115     ne_ssl_provide_clicert(sess, cc_check_dnames, &check);
 1116 
 1117     CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
 1118 
 1119     ne_session_destroy(sess);
 1120 
 1121     ONN("provider function not called", check == 0);
 1122 
 1123     return (check == -1) ? FAIL : OK;
 1124 }
 1125 
 1126 /* Tests use of a client certificate. */
 1127 static int client_cert_pkcs12(void)
 1128 {
 1129     ne_session *sess = DEFSESS;
 1130     struct ssl_server_args args = {SERVER_CERT, NULL};
 1131 
 1132     args.require_cc = 1;
 1133 
 1134     PRECOND(def_cli_cert);
 1135 
 1136     ne_ssl_set_clicert(sess, def_cli_cert);
 1137     CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
 1138 
 1139     ne_session_destroy(sess);    
 1140     return OK;
 1141 }
 1142 
 1143 /* Test use of a PKCS#12 cert with an embedded CA cert - fails with <=
 1144  * 0.28.3 in GnuTLS build. */
 1145 static int client_cert_ca(void)
 1146 {
 1147     ne_session *sess = DEFSESS;
 1148     struct ssl_server_args args = {SERVER_CERT, NULL};
 1149     ne_ssl_client_cert *cc;
 1150 
 1151     args.require_cc = 1;
 1152 
 1153     cc = ne_ssl_clicert_read("clientca.p12");
 1154     ONN("could not load clientca.p12", cc == NULL);
 1155     ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc));
 1156     ONN("could not decrypt clientca.p12", 
 1157         ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
 1158 
 1159     ne_ssl_set_clicert(sess, cc);
 1160     CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
 1161 
 1162     ne_ssl_clicert_free(cc);
 1163 
 1164     ne_session_destroy(sess);    
 1165     return OK;
 1166 }
 1167 
 1168 /* Tests use of an unencrypted client certificate. */
 1169 static int ccert_unencrypted(void)
 1170 {
 1171     ne_session *sess = DEFSESS;
 1172     ne_ssl_client_cert *ccert;
 1173     struct ssl_server_args args = {SERVER_CERT, NULL};
 1174 
 1175     args.require_cc = 1;
 1176 
 1177     ccert = ne_ssl_clicert_read("unclient.p12");
 1178     ONN("could not load unclient.p12", ccert == NULL);
 1179     ONN("unclient.p12 was encrypted", ne_ssl_clicert_encrypted(ccert));
 1180 
 1181     ne_ssl_set_clicert(sess, ccert);
 1182     CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
 1183 
 1184     ne_ssl_clicert_free(ccert);
 1185     ne_session_destroy(sess);
 1186     return OK;
 1187 }
 1188 
 1189 #define NOCERT_MESSAGE "client certificate was requested"
 1190 /* random SSL read may fail like this with TLSv1.3 */
 1191 #define NOCERT_ALT "certificate required"
 1192 
 1193 /* Tests for useful error message if a handshake fails where a client
 1194  * cert was requested. */
 1195 static int no_client_cert(void)
 1196 {
 1197     ne_session *sess = DEFSESS;
 1198     struct ssl_server_args args = {SERVER_CERT, NULL};
 1199     int ret;
 1200 
 1201     args.require_cc = 1;
 1202     args.fail_silently = 1;
 1203 
 1204     ne_ssl_trust_cert(sess, def_ca_cert);
 1205 
 1206     CALL(spawn_server(7777, ssl_server, &args));
 1207     
 1208     ret = any_request(sess, "/failme");
 1209 
 1210     ONV(ret != NE_ERROR,
 1211         ("unexpected result %d: %s", ret, ne_get_error(sess)));
 1212 
 1213     ONV(strstr(ne_get_error(sess), NOCERT_MESSAGE) == NULL
 1214         && strstr(ne_get_error(sess), NOCERT_ALT) == NULL,
 1215         ("error message was '%s', missing '%s'", 
 1216          ne_get_error(sess), NOCERT_MESSAGE));
 1217     
 1218     reap_server();
 1219 
 1220     ne_session_destroy(sess);    
 1221     return OK;
 1222 }
 1223 
 1224 /* non-zero if a server auth header was received */
 1225 static int got_server_auth; 
 1226 
 1227 /* Utility function which accepts the 'tunnel' header. */
 1228 static void tunnel_header(char *value)
 1229 {
 1230     got_server_auth = 1;
 1231 }
 1232 
 1233 /* Server which acts as a proxy accepting a CONNECT request. */
 1234 static int serve_tunnel(ne_socket *sock, void *ud)
 1235 {
 1236     struct ssl_server_args *args = ud;
 1237 
 1238     /* check for a server auth function */
 1239     want_header = "Authorization";
 1240     got_header = tunnel_header;
 1241     got_server_auth = 0;
 1242 
 1243     /* give the plaintext tunnel reply, acting as the proxy */
 1244     CALL(discard_request(sock));
 1245 
 1246     if (got_server_auth) {
 1247         SEND_STRING(sock, "HTTP/1.1 500 Leaked Server Auth Creds\r\n"
 1248                     "Content-Length: 0\r\n" "Server: serve_tunnel\r\n\r\n");
 1249         return 0;
 1250     } else {
 1251         SEND_STRING(sock, "HTTP/1.1 200 OK\r\nServer: serve_tunnel\r\n\r\n");
 1252         return ssl_server(sock, args);
 1253     }
 1254 }
 1255 
 1256 /* neon versions <= 0.21.2 segfault here because ne_sock_close would
 1257  * be called twice on the socket after the server cert verification
 1258  * fails. */
 1259 static int fail_tunnel(void)
 1260 {
 1261     ne_session *sess = ne_session_create("https", "example.com", 443);
 1262     struct ssl_server_args args = {SERVER_CERT, NULL};
 1263 
 1264     ne_session_proxy(sess, "localhost", 7777);
 1265 
 1266     ONN("server cert verification didn't fail",
 1267     any_ssl_request(sess, serve_tunnel, &args, CA_CERT,
 1268             NULL, NULL) != NE_ERROR);
 1269     
 1270     ne_session_destroy(sess);
 1271     return OK;
 1272 }
 1273 
 1274 static int proxy_tunnel(void)
 1275 {
 1276     ne_session *sess = ne_session_create("https", "localhost", 443);
 1277     struct ssl_server_args args = {SERVER_CERT, NULL};
 1278 
 1279     ne_session_proxy(sess, "localhost", 7777);
 1280     
 1281     /* CA cert is trusted, so no verify callback should be needed. */
 1282     CALL(any_ssl_request(sess, serve_tunnel, &args, CA_CERT,
 1283              NULL, NULL));
 1284 
 1285     ne_session_destroy(sess);
 1286     return OK;
 1287 }
 1288 
 1289 #define RESP_0LENGTH "HTTP/1.1 200 OK\r\n" "Content-Length: 0\r\n" "\r\n"
 1290 
 1291 /* a tricky test which requires spawning a second server process in
 1292  * time for a new connection after a 407. */
 1293 static int apt_post_send(ne_request *req, void *ud, const ne_status *st)
 1294 {
 1295     int *code = ud;
 1296     if (st->code == *code) {
 1297         struct ssl_server_args args = {SERVER_CERT, NULL};
 1298     
 1299         if (*code == 407) args.numreqs = 2;
 1300         args.response = RESP_0LENGTH;
 1301 
 1302         NE_DEBUG(NE_DBG_HTTP, "Got challenge, awaiting server...\n");
 1303         CALL(await_server());
 1304         NE_DEBUG(NE_DBG_HTTP, "Spawning proper tunnel server...\n");
 1305         /* serve *two* 200 OK responses. */
 1306         CALL(spawn_server(7777, serve_tunnel, &args));
 1307         NE_DEBUG(NE_DBG_HTTP, "Spawned.\n");
 1308     }
 1309     return OK;
 1310 }
 1311 
 1312 static int apt_creds(void *userdata, const char *realm, int attempt,
 1313                      char *username, char *password)
 1314 {
 1315     strcpy(username, "foo");
 1316     strcpy(password, "bar");
 1317     return attempt;
 1318 }
 1319 
 1320 /* Test for using SSL over a CONNECT tunnel via a proxy server which
 1321  * requires authentication.  Broke briefly between 0.23.x and
 1322  * 0.24.0. */
 1323 static int auth_proxy_tunnel(void)
 1324 {
 1325     ne_session *sess = ne_session_create("https", "localhost", 443);
 1326     int ret, code = 407;
 1327     
 1328     ne_session_proxy(sess, "localhost", 7777);
 1329     ne_hook_post_send(sess, apt_post_send, &code);
 1330     ne_set_proxy_auth(sess, apt_creds, NULL);
 1331     ne_ssl_trust_cert(sess, def_ca_cert);
 1332     
 1333     CALL(spawn_server(7777, single_serve_string,
 1334                       "HTTP/1.0 407 I WANT MORE BISCUITS\r\n"
 1335                       "Proxy-Authenticate: Basic realm=\"bigbluesea\"\r\n"
 1336                       "Connection: close\r\n" "\r\n"));
 1337     
 1338     /* run two requests over the tunnel. */
 1339     ret = any_2xx_request(sess, "/foobar");
 1340     if (!ret) ret = any_2xx_request(sess, "/foobar2");
 1341     CALL(await_server());
 1342     CALL(ret);
 1343 
 1344     ne_session_destroy(sess);
 1345     return 0;
 1346 }
 1347 
 1348 /* Regression test to check that server credentials aren't sent to the
 1349  * proxy in a CONNECT request. */
 1350 static int auth_tunnel_creds(void)
 1351 {
 1352     ne_session *sess = ne_session_create("https", "localhost", 443);
 1353     int ret, code = 401;
 1354     struct ssl_server_args args = {SERVER_CERT, 0};
 1355     
 1356     ne_session_proxy(sess, "localhost", 7777);
 1357     ne_hook_post_send(sess, apt_post_send, &code);
 1358     ne_set_server_auth(sess, apt_creds, NULL);
 1359     ne_ssl_trust_cert(sess, def_ca_cert);
 1360     
 1361     args.response = "HTTP/1.1 401 I want a Shrubbery\r\n"
 1362         "WWW-Authenticate: Basic realm=\"bigredocean\"\r\n"
 1363         "Server: Python\r\n" "Content-Length: 0\r\n" "\r\n";
 1364     
 1365     CALL(spawn_server(7777, serve_tunnel, &args));
 1366     ret = any_2xx_request(sess, "/foobar");
 1367     CALL(await_server());
 1368     CALL(ret);
 1369 
 1370     ne_session_destroy(sess);
 1371     return OK;    
 1372 }
 1373 
 1374 static int auth_tunnel_fail(void)
 1375 {
 1376     ne_session *sess = ne_session_create("https", "localhost", 443);
 1377     int ret;
 1378 
 1379     CALL(spawn_server(7777, single_serve_string,
 1380                       "HTTP/1.1 407 Nyaaaaah\r\n"
 1381                       "Proxy-Authenticate: GaBoogle\r\n"
 1382                       "Connection: close\r\n"
 1383                       "\r\n"));
 1384     
 1385     ne_session_proxy(sess, "localhost", 7777);
 1386 
 1387     ne_set_proxy_auth(sess, apt_creds, NULL);
 1388      
 1389     ret = any_request(sess, "/bar");
 1390     ONV(ret != NE_PROXYAUTH, ("bad error code for tunnel failure: %d", ret));
 1391 
 1392     ONV(strstr(ne_get_error(sess), "GaBoogle") == NULL,
 1393         ("bad error string for tunnel failure: %s", ne_get_error(sess)));
 1394 
 1395     ne_session_destroy(sess);
 1396 
 1397     return await_server();
 1398 }
 1399 
 1400 /* compare against known digest of notvalid.pem.  Via:
 1401  *   $ openssl x509 -fingerprint -sha1 -noout -in notvalid.pem */
 1402 #define THE_DIGEST "cf:5c:95:93:76:c6:3c:01:8b:62:" \
 1403                    "b1:6f:f7:7f:42:32:ac:e6:69:1b"
 1404 
 1405 static int cert_fingerprint(void)
 1406 {
 1407     char *fn = ne_concat(srcdir, "/notvalid.pem", NULL);
 1408     ne_ssl_certificate *cert = ne_ssl_cert_read(fn);
 1409     char digest[60];
 1410     
 1411     ne_free(fn);
 1412 
 1413     ONN("could not load notvalid.pem", cert == NULL);
 1414 
 1415     ONN("failed to digest", ne_ssl_cert_digest(cert, digest));
 1416     ne_ssl_cert_free(cert);
 1417 
 1418     ONV(strcmp(digest, THE_DIGEST),
 1419         ("digest was %s not %s", digest, THE_DIGEST));
 1420 
 1421     return OK;
 1422 }
 1423 
 1424 /* verify that identity of certificate in filename 'fname' is 'identity' */
 1425 static int check_identity(const char *fname, const char *identity)
 1426 {
 1427     ne_ssl_certificate *cert = ne_ssl_cert_read(fname);
 1428     const char *id;
 1429 
 1430     ONV(cert == NULL, ("could not read cert `%s'", fname));
 1431 
 1432     id = ne_ssl_cert_identity(cert);
 1433 
 1434     if (identity) {
 1435         ONV(id == NULL, ("certificate `%s' had no identity", fname));
 1436         ONV(strcmp(id, identity), 
 1437             ("certificate `%s' had identity `%s' not `%s'", fname, 
 1438              id, identity));
 1439     } else {
 1440         ONV(id != NULL, ("certificate `%s' had identity `%s' (expected none)",
 1441                          fname, id));
 1442     }            
 1443     
 1444     ne_ssl_cert_free(cert);
 1445     return OK;
 1446 }
 1447 
 1448 /* check certificate identities. */
 1449 static int cert_identities(void)
 1450 {
 1451     static const struct {
 1452         const char *fname, *identity;
 1453     } certs[] = {
 1454         { "ssigned.pem", "localhost" },
 1455         { "twocn.cert", "localhost" },
 1456         { "altname1.cert", "localhost" },
 1457         { "altname2.cert", "nohost.example.com" },
 1458         { "altname4.cert", "localhost" },
 1459         { "ca4.pem", "fourth.example.com" },
 1460         { "altname8.cert", "http://nohost.example.com/" },
 1461         { NULL, NULL }
 1462     };
 1463     int n;
 1464 
 1465     for (n = 0; certs[n].fname != NULL; n++)
 1466         CALL(check_identity(certs[n].fname, certs[n].identity));
 1467 
 1468     return OK;
 1469 }
 1470 
 1471 static int nulcn_identity(void)
 1472 {
 1473     ne_ssl_certificate *cert = ne_ssl_cert_read(nul_cn_fn);
 1474     const char *id;
 1475 
 1476     ONN("could not read nulcn.pem", cert == NULL);
 1477 
 1478     id = ne_ssl_cert_identity(cert);
 1479 
 1480     ONN("embedded NUL byte not quoted",
 1481         id != NULL && strcmp(id, "www.bank.com") == 0);
 1482     
 1483     ne_ssl_cert_free(cert);
 1484     return OK;
 1485 }
 1486 
 1487 static int check_validity(const char *fname,
 1488                           const char *from, const char *until)
 1489 {
 1490     char actfrom[NE_SSL_VDATELEN], actuntil[NE_SSL_VDATELEN];
 1491     ne_ssl_certificate *cert;
 1492 
 1493     cert = ne_ssl_cert_read(fname);
 1494     ONV(cert == NULL, ("could not load cert `%s'", fname));
 1495 
 1496     /* cover all calling combos for nice coverage analysis */
 1497     ne_ssl_cert_validity(cert, NULL, NULL);
 1498     ne_ssl_cert_validity(cert, actfrom, NULL);
 1499     ne_ssl_cert_validity(cert, NULL, actuntil);
 1500     ne_ssl_cert_validity(cert, actfrom, actuntil);
 1501 
 1502     ONV(strcmp(actfrom, from), 
 1503         ("%s: start time was `%s' not `%s'", fname, actfrom, from));
 1504 
 1505     ONV(strcmp(actuntil, until), 
 1506         ("%s: end time was `%s' not `%s'", fname, actuntil, until));
 1507 
 1508     ne_ssl_cert_free(cert);
 1509     return OK;
 1510 }
 1511 
 1512 /* ceritificate validity times. */
 1513 static int cert_validity(void)
 1514 {
 1515     char *cert = ne_concat(srcdir, "/expired.pem", NULL);
 1516     CALL(check_validity(cert, 
 1517                         "Mon, 21 Jan 2002 20:39:04 GMT", "Thu, 31 Jan 2002 20:39:04 GMT"));
 1518     ne_free(cert);
 1519     cert = ne_concat(srcdir, "/notvalid.pem", NULL);
 1520     CALL(check_validity(cert, 
 1521                         "Wed, 27 Dec 2023 20:40:29 GMT", "Thu, 28 Dec 2023 20:40:29 GMT"));
 1522     ne_free(cert);
 1523     return OK;
 1524 }
 1525 
 1526 /* dname comparisons. */
 1527 static int dname_compare(void)
 1528 {
 1529     ne_ssl_certificate *ssigned;
 1530     const ne_ssl_dname *dn1, *dn2;
 1531     
 1532     dn1 = ne_ssl_cert_subject(def_server_cert);
 1533     dn2 = ne_ssl_cert_subject(def_server_cert);
 1534     ONN("identical subject names not equal", ne_ssl_dname_cmp(dn1, dn2) != 0);
 1535 
 1536     dn2 = ne_ssl_cert_issuer(def_server_cert);
 1537     ONN("issuer and subject names equal for signed cert",
 1538         ne_ssl_dname_cmp(dn1, dn2) == 0);
 1539     
 1540     dn1 = ne_ssl_cert_subject(def_ca_cert);
 1541     ONN("issuer of signed cert not equal to subject of CA cert",
 1542         ne_ssl_dname_cmp(dn1, dn2) != 0);
 1543 
 1544     ssigned = ne_ssl_cert_read("ssigned.pem");
 1545     ONN("could not load ssigned.pem", ssigned == NULL);
 1546 
 1547     dn1 = ne_ssl_cert_subject(ssigned);
 1548     dn2 = ne_ssl_cert_issuer(ssigned);
 1549     ONN("issuer and subject names not equal for self-signed cert",
 1550         ne_ssl_dname_cmp(dn1, dn2));
 1551     ne_ssl_cert_free(ssigned);
 1552 
 1553     return OK;
 1554 }
 1555 
 1556 /* The dname with the UTF-8 encoding of the Unicode string: 
 1557  * "H<LATIN SMALL LETTER E WITH GRAVE>llo World". */
 1558 #define I18N_DNAME "H\xc3\xa8llo World, Neon Hackers Ltd, Cambridge, Cambridgeshire, GB"
 1559 
 1560 /* N.B. t61subj.cert encodes an ISO-8859-1 string in a T61String
 1561  * field, which is strictly wrong but the common usage. */
 1562 
 1563 /* tests for ne_ssl_readable_dname */
 1564 static int dname_readable(void)
 1565 {
 1566     struct {
 1567         const char *cert;
 1568         const char *subjdn, *issuerdn;
 1569     } ts[] = {
 1570         { "justmail.cert", "blah@example.com", NULL },
 1571         { "t61subj.cert", I18N_DNAME, NULL },
 1572         { "bmpsubj.cert", I18N_DNAME, NULL },
 1573         { "utf8subj.cert", I18N_DNAME, NULL },
 1574         { "twoou.cert", "First OU Dept, Second OU Dept, Neon Hackers Ltd, "
 1575           "Cambridge, Cambridgeshire, GB" }
 1576     };
 1577     size_t n;
 1578 
 1579     for (n = 0; n < sizeof(ts)/sizeof(ts[0]); n++) {
 1580         ne_ssl_certificate *cert = ne_ssl_cert_read(ts[n].cert);
 1581         ONV(cert == NULL, ("could not load cert %s", ts[n].cert));
 1582         CALL(check_cert_dnames(cert, ts[n].subjdn, ts[n].issuerdn));
 1583         ne_ssl_cert_free(cert);
 1584     }
 1585 
 1586     return OK;
 1587 }
 1588 
 1589 /* test cert comparisons */
 1590 static int cert_compare(void)
 1591 {
 1592     ne_ssl_certificate *c1, *c2;
 1593 
 1594     c1 = ne_ssl_cert_read("server.cert");
 1595     c2 = ne_ssl_cert_read("server.cert");
 1596     ONN("identical certs don't compare equal", ne_ssl_cert_cmp(c1, c2) != 0);
 1597     ONN("identical certs don't compare equal", ne_ssl_cert_cmp(c2, c1) != 0);
 1598     ne_ssl_cert_free(c2);
 1599 
 1600     c2 = ne_ssl_cert_read("ssigned.pem");
 1601     ONN("different certs don't compare different",
 1602         ne_ssl_cert_cmp(c1, c2) == 0);
 1603     ONN("different certs don't compare different",
 1604         ne_ssl_cert_cmp(c2, c1) == 0);
 1605     ne_ssl_cert_free(c2);
 1606     ne_ssl_cert_free(c1);
 1607 
 1608     return OK;
 1609 }
 1610 
 1611 /* Extract raw base64 string from a PEM file */
 1612 static int flatten_pem(const char *fname, char **out)
 1613 {
 1614     FILE *fp = fopen(fname, "r");
 1615     char buf[80];
 1616     size_t outlen = 0;
 1617     int ignore = 1;
 1618 
 1619     ONV(fp == NULL, ("could not open %s", fname));
 1620 
 1621     *out = NULL;
 1622 
 1623     while (fgets(buf, sizeof buf, fp) != NULL) {
 1624         size_t len = strlen(buf) - 1;
 1625         
 1626         if (len < 1) continue;
 1627 
 1628         /* look for the wrapper lines. */
 1629         if (strncmp(buf, "-----", 5) == 0) {
 1630             ignore = !ignore;
 1631             continue;
 1632         }
 1633 
 1634         /* ignore until the first wrapper line */
 1635         if (ignore) continue;
 1636         
 1637         *out = realloc(*out, outlen + len + 1);
 1638         memcpy(*out + outlen, buf, len);
 1639         outlen += len;
 1640     }
 1641 
 1642     (*out)[outlen] = '\0';
 1643     fclose(fp);
 1644 
 1645     return OK;
 1646 }
 1647 
 1648 /* check export cert data 'actual' against expected data 'expected */
 1649 static int check_exported_data(const char *actual, const char *expected)
 1650 {
 1651     ONN("could not export cert", actual == NULL);
 1652 
 1653     ONN("export data contained newline",
 1654         strchr(actual, '\r') || strchr(actual, '\n'));        
 1655 
 1656     ONV(strcmp(actual, expected), ("exported cert differed from expected:\n"
 1657                                    "actual: %s\nexpected: %s", 
 1658                                    actual, expected));
 1659     return OK;
 1660 }
 1661 
 1662 /* Test import and export of certificates.  The export format is PEM
 1663  * without the line feeds and wrapping; compare against . */
 1664 static int import_export(void)
 1665 {
 1666     char *expected, *actual;
 1667     ne_ssl_certificate *cert, *imp;
 1668 
 1669     CALL(flatten_pem("server.cert", &expected));
 1670     
 1671     cert = ne_ssl_cert_read("server.cert");
 1672     ONN("could not load server.cert", cert == NULL);
 1673 
 1674     /* export the cert to and compare it with the PEM file */
 1675     actual = ne_ssl_cert_export(cert);
 1676     CALL(check_exported_data(actual, expected));
 1677 
 1678     /* import the exported cert data, check it looks the same */
 1679     imp = ne_ssl_cert_import(actual);
 1680     ONN("failed to import exported cert", imp == NULL);
 1681     ONN("imported cert was different to original", 
 1682         ne_ssl_cert_cmp(imp, cert));
 1683 
 1684     /* re-export the imported cert and check that looks the same */
 1685     ne_free(actual);
 1686     actual = ne_ssl_cert_export(imp);
 1687     CALL(check_exported_data(actual, expected));
 1688     ne_ssl_cert_free(imp);
 1689 
 1690     /* try importing from bogus data */
 1691     imp = ne_ssl_cert_import("!!");
 1692     ONN("imported bogus cert from bogus base64", imp != NULL);
 1693     imp = ne_ssl_cert_import("aaaa");
 1694     ONN("imported bogus cert from valid base64", imp != NULL);
 1695 
 1696     ne_ssl_cert_free(cert);
 1697     ne_free(actual);
 1698     ne_free(expected);
 1699     return OK;
 1700 }
 1701 
 1702 /* Test write/read */
 1703 static int read_write(void)
 1704 {
 1705     ne_ssl_certificate *c1, *c2;
 1706 
 1707     c1 = ne_ssl_cert_read("server.cert");
 1708     ONN("could not load server.cert", c1 == NULL);
 1709 
 1710     ONN("could not write output.pem", ne_ssl_cert_write(c1, "output.pem"));
 1711     
 1712     ONN("wrote to nonexistent directory",
 1713         ne_ssl_cert_write(c1, "nonesuch/output.pem") == 0);
 1714 
 1715     c2 = ne_ssl_cert_read("output.pem");
 1716     ONN("could not read output.pem", c2 == NULL);
 1717     
 1718     ONN("read of output.pem differs from original",
 1719         ne_ssl_cert_cmp(c2, c1));
 1720 
 1721     ne_ssl_cert_free(c1);
 1722     ne_ssl_cert_free(c2);
 1723 
 1724     return OK;
 1725 }
 1726 
 1727 /* A verification callback which caches the passed cert. */
 1728 static int verify_cache(void *userdata, int fs,
 1729                         const ne_ssl_certificate *cert)
 1730 {
 1731     char **cache = userdata;
 1732     
 1733     if (*cache == NULL) {
 1734         *cache = ne_ssl_cert_export(cert);
 1735         return 0;
 1736     } else {
 1737         return -1;
 1738     }
 1739 }
 1740 
 1741 /* Test a common use of the SSL API; cache the server cert across
 1742  * sessions. */
 1743 static int cache_cert(void)
 1744 {
 1745     ne_session *sess = DEFSESS;
 1746     char *cache = NULL;
 1747     ne_ssl_certificate *cert;
 1748     struct ssl_server_args args = {0};
 1749 
 1750     args.cert = "ssigned.pem";
 1751     args.cache = 1;
 1752 
 1753     ONREQ(any_ssl_request(sess, ssl_server, &args, CA_CERT,
 1754                           verify_cache, &cache));
 1755     ne_session_destroy(sess);
 1756 
 1757     ONN("no cert was cached", cache == NULL);
 1758     
 1759     /* make a real cert */
 1760     cert = ne_ssl_cert_import(cache);
 1761     ONN("could not import cached cert", cert == NULL);
 1762     ne_free(cache);
 1763 
 1764     /* create a new session */
 1765     sess = DEFSESS;
 1766     /* trust the cert */
 1767     ne_ssl_trust_cert(sess, cert);
 1768     ne_ssl_cert_free(cert);
 1769     /* now, the request should succeed without manual verification */
 1770     ONREQ(any_ssl_request(sess, ssl_server, &args, CA_CERT,
 1771                           NULL, NULL));
 1772     ne_session_destroy(sess);
 1773     return OK;
 1774 }
 1775 
 1776 static int nonssl_trust(void)
 1777 {
 1778     ne_session *sess = ne_session_create("http", "www.example.com", 80);
 1779     
 1780     ne_ssl_trust_cert(sess, def_ca_cert);
 1781     
 1782     ne_session_destroy(sess);
 1783 
 1784     return OK;
 1785 }
 1786 
 1787 /* PIN password provider callback. */
 1788 static int pkcs11_pin(void *userdata, int attempt,
 1789                       const char *slot_descr, const char *token_label,
 1790                       unsigned int flags, char *pin)
 1791 {
 1792     char *sekrit = userdata;
 1793 
 1794     NE_DEBUG(NE_DBG_SSL, "pkcs11: slot = [%s], token = [%s]\n",
 1795              slot_descr, token_label);
 1796 
 1797     if (attempt == 0) {
 1798         strcpy(pin, sekrit);
 1799         return 0;
 1800     }
 1801     else {
 1802         return -1;
 1803     }
 1804 }
 1805 
 1806 static int nss_pkcs11_test(const char *dbname)
 1807 {
 1808     ne_session *sess = DEFSESS;
 1809     struct ssl_server_args args = {SERVER_CERT, NULL};
 1810     ne_ssl_pkcs11_provider *prov;
 1811     int ret;
 1812 
 1813     args.require_cc = 1;
 1814 
 1815     if (access(dbname, R_OK|X_OK)) {
 1816         t_warning("NSS required for PKCS#11 testing");
 1817         return SKIP;
 1818     }
 1819 
 1820     ret = ne_ssl_pkcs11_nss_provider_init(&prov, "softokn3", dbname, NULL, 
 1821                                           NULL, NULL);
 1822     if (ret) {
 1823         if (ret == NE_PK11_NOTIMPL)
 1824             t_context("pakchois library required for PKCS#11 support");
 1825         else
 1826             t_context("could not load NSS softokn3 PKCS#11 provider");
 1827         return SKIP;
 1828     }
 1829 
 1830     ne_ssl_pkcs11_provider_pin(prov, pkcs11_pin, "foobar");
 1831     ne_ssl_set_pkcs11_provider(sess, prov);
 1832 
 1833     ret = any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL);
 1834 
 1835     ne_session_destroy(sess);
 1836     ne_ssl_pkcs11_provider_destroy(prov);
 1837 
 1838     return ret;
 1839 }
 1840 
 1841 static int pkcs11(void)
 1842 {
 1843     return nss_pkcs11_test("nssdb");
 1844 }
 1845 
 1846 static int pkcs11_dsa(void)
 1847 {
 1848     return nss_pkcs11_test("nssdb-dsa");
 1849 }
 1850 
 1851 /* TODO: code paths still to test in cert verification:
 1852  * - server cert changes between connections: Mozilla gives
 1853  * a "bad MAC decode" error for this; can do better?
 1854  * - server presents no certificate (using ADH ciphers)... can
 1855  * only really happen if they mess with the SSL_CTX and enable
 1856  * ADH cipher manually; but good to check the failure case is 
 1857  * safe.
 1858  * -  SSL cert changes between connections; handle as normal & re-verify
 1859  * From the SSL book:
 1860  * - an early FIN should be returned as a possible truncation attack,
 1861  * NOT just an NE_SOCK_CLOSED.
 1862  * - unexpected close_notify is an error but not an attack.
 1863  * - never attempt session resumption after any aborted connection.
 1864  */
 1865 
 1866 ne_test tests[] = {
 1867     T_LEAKY(init),
 1868 
 1869     T(load_server_certs),
 1870     T(trust_default_ca),
 1871 
 1872     T(cert_fingerprint),
 1873     T(cert_identities),
 1874     T(cert_validity),
 1875     T(cert_compare),
 1876     T(dname_compare),
 1877     T(dname_readable),
 1878     T(import_export),
 1879     T(read_write),
 1880 
 1881     T(load_client_cert),
 1882     T(clicert_import),
 1883 
 1884     T(simple),
 1885 #if 0
 1886     T(simple_sslv2),
 1887 #endif
 1888     T(simple_eof),
 1889     T(empty_truncated_eof),
 1890     T(fail_not_ssl),
 1891     T(cache_cert),
 1892     T(intermediary),
 1893 
 1894     T(client_cert_pkcs12),
 1895     T(ccert_unencrypted),
 1896     T(client_cert_provided),
 1897     T(cc_provided_dnames),
 1898     T(no_client_cert),
 1899     T(client_cert_ca),
 1900 
 1901     T(parse_cert),
 1902     T(parse_chain),
 1903 
 1904     T(no_verify),
 1905     T(cache_verify),
 1906     T(wildcard_match),
 1907     T(wildcard_match_altname),
 1908     T(caseless_match),
 1909 
 1910     T(subject_altname),
 1911     T(two_subject_altname),
 1912     T(two_subject_altname2),
 1913     T(notdns_altname),
 1914     T(ipaddr_altname),
 1915     T(uri_altname),
 1916 
 1917     T(multi_commonName),
 1918     T(commonName_first),
 1919 
 1920     T(fail_wrongCN),
 1921     T(fail_expired),
 1922     T(fail_notvalid),
 1923     T(fail_untrusted_ca),
 1924     T(fail_self_signed),
 1925     T(fail_missing_CN),
 1926     T(fail_host_ipaltname),
 1927     T(fail_bad_ipaltname),
 1928     T(fail_bad_urialtname),
 1929     T(fail_wildcard),
 1930     T(fail_wildcard_ip),
 1931     T(fail_ca_notyetvalid),
 1932     T(fail_ca_expired),
 1933 
 1934     T(nulcn_identity),
 1935 #ifndef HAVE_GNUTLS
 1936     /* These certs were created with a SHA#1 digest so are rejected by GnuTLS. */
 1937     T(fail_nul_cn),
 1938     T(fail_nul_san),
 1939 #endif
 1940 
 1941 #if 0
 1942     T(session_cache),
 1943 #endif
 1944 
 1945     T(fail_tunnel),
 1946     T(proxy_tunnel),
 1947     T(auth_proxy_tunnel),
 1948     T(auth_tunnel_creds),
 1949     T(auth_tunnel_fail),
 1950 
 1951     T(nonssl_trust),
 1952 
 1953     T(pkcs11),
 1954     T_XFAIL(pkcs11_dsa), /* unclear why this fails currently. */
 1955 
 1956     T(NULL) 
 1957 };