1 /*
2 neon test suite
3 Copyright (C) 2002-2009, Joe Orton <joe@manyfish.co.uk>
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
9
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
14
15 You should have received a copy of the GNU General Public License
16 along with this program; if not, write to the Free Software
17 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18
19 */
20
21 #include "config.h"
22
23 #include <sys/types.h>
24
25 #include <sys/stat.h>
26
27 #ifdef HAVE_STDLIB_H
28 #include <stdlib.h>
29 #endif
30 #ifdef HAVE_UNISTD_H
31 #include <unistd.h>
32 #endif
33
34 #include "ne_request.h"
35 #include "ne_socket.h"
36 #include "ne_ssl.h"
37 #include "ne_auth.h"
38
39 #include "tests.h"
40 #include "child.h"
41 #include "utils.h"
42
43 #ifndef NE_HAVE_SSL
44 /* this file shouldn't be built if SSL is not enabled. */
45 #error SSL not supported
46 #endif
47
48 #include "ne_pkcs11.h"
49
50 #define SERVER_CERT "server.cert"
51 #define CA2_SERVER_CERT "ca2server.pem"
52 #define CA_CERT "ca/cert.pem"
53
54 #define P12_PASSPHRASE "foobar"
55
56 #define SERVER_DNAME "Neon QA Dept, Neon Hackers Ltd, " \
57 "Cambridge, Cambridgeshire, GB"
58 #define CACERT_DNAME "Random Dept, Neosign, Oakland, California, US"
59
60 static char *srcdir = ".";
61 static char *server_key = NULL;
62
63 static ne_ssl_certificate *def_ca_cert = NULL, *def_server_cert;
64 static ne_ssl_client_cert *def_cli_cert;
65
66 static char *nul_cn_fn;
67
68 static int check_dname(const ne_ssl_dname *dn, const char *expected,
69 const char *which)
70 ne_attribute((nonnull));
71
72 static int check_cert_dnames(const ne_ssl_certificate *cert,
73 const char *subject, const char *issuer)
74 ne_attribute((nonnull (2)));
75
76 /* Arguments for running the SSL server */
77 struct ssl_server_args {
78 char *cert; /* the server cert to present. */
79 const char *response; /* the response to send. */
80 int numreqs; /* number of request/responses to handle over the SSL connection. */
81
82 /* client cert handling: */
83 int require_cc; /* require a client cert if non-NULL */
84 const char *ca_list; /* file of CA certs to verify client cert against */
85 int fail_silently; /* exit with success if handshake fails */
86
87 /* session caching: */
88 int cache; /* use the session cache if non-zero */
89 struct ssl_session {
90 unsigned char id[128];
91 size_t len;
92 } session;
93 int count; /* internal use. */
94
95 int use_ssl2; /* force use of SSLv2 only */
96
97 const char *key;
98 };
99
100 /* default response string if args->response is NULL */
101 #define DEF_RESP "HTTP/1.0 200 OK\r\nContent-Length: 0\r\n\r\n"
102
103 /* An SSL server inna bun. */
ssl_server(ne_socket * sock,void * userdata)104 static int ssl_server(ne_socket *sock, void *userdata)
105 {
106 struct ssl_server_args *args = userdata;
107 int ret;
108 char buf[BUFSIZ];
109 const char *key;
110 static ne_ssl_context *ctx = NULL;
111
112 if (ctx == NULL) {
113 ctx = ne_ssl_context_create(args->use_ssl2 ? NE_SSL_CTX_SERVERv2
114 : NE_SSL_CTX_SERVER);
115 }
116
117 ONV(ctx == NULL, ("could not create SSL context"));
118
119 key = args->key ? args->key : server_key;
120 NE_DEBUG(NE_DBG_HTTP, "SSL server init with keypair (%s, %s).\n",
121 args->cert, key);
122
123 ONV(ne_ssl_context_keypair(ctx, args->cert, key),
124 ("failed to load server keypair: ..."));
125
126 if (args->require_cc && !args->ca_list) {
127 args->ca_list = CA_CERT;
128 }
129
130 ne_ssl_context_set_verify(ctx, args->require_cc,
131 args->ca_list, args->ca_list);
132
133 ret = ne_sock_accept_ssl(sock, ctx);
134 if (ret && args->fail_silently) {
135 return 0;
136 }
137 ONV(ret, ("SSL accept failed: %s", ne_sock_error(sock)));
138
139 args->count++;
140
141 /* loop handling requests: */
142 do {
143 const char *response = args->response ? args->response : DEF_RESP;
144
145 ret = ne_sock_read(sock, buf, BUFSIZ - 1);
146 if (ret == NE_SOCK_CLOSED)
147 return 0; /* connection closed by parent; give up. */
148 ONV(ret < 0, ("SSL read failed (%d): %s", ret,
149 ne_sock_error(sock)));
150
151 buf[ret] = '\0';
152
153 NE_DEBUG(NE_DBG_HTTP, "Request over SSL was: [%s]\n", buf);
154
155 if (strstr(buf, "Proxy-Authorization:") != NULL) {
156 NE_DEBUG(NE_DBG_HTTP, "Got Proxy-Auth header over SSL!\n");
157 response = "HTTP/1.1 500 Client Leaks Credentials\r\n"
158 "Content-Length: 0\r\n" "\r\n";
159 }
160
161 ONV(ne_sock_fullwrite(sock, response, strlen(response)),
162 ("SSL write failed: %s", ne_sock_error(sock)));
163
164 } while (--args->numreqs > 0);
165
166
167 if (args->cache) {
168 unsigned char sessid[128];
169 size_t len = sizeof sessid;
170
171 ONN("could not retrieve session ID",
172 ne_sock_sessid(sock, sessid, &len));
173
174 #ifdef NE_DEBUGGING
175 {
176 char *b64 = ne_base64(sessid, len);
177 NE_DEBUG(NE_DBG_SSL, "Session id retrieved (%d): [%s]\n",
178 args->count, b64);
179 ne_free(b64);
180 }
181 #endif
182
183 if (args->count == 1) {
184 /* save the session. */
185 memcpy(args->session.id, sessid, len);
186 args->session.len = len;
187 } else {
188 /* Compare with stored session. */
189 ONN("cached session not used",
190 args->session.len != len
191 || memcmp(args->session.id, sessid, len));
192 }
193 }
194
195 return 0;
196 }
197
198 /* serve_ssl wrapper which ignores server failure and always succeeds */
fail_serve(ne_socket * sock,void * ud)199 static int fail_serve(ne_socket *sock, void *ud)
200 {
201 struct ssl_server_args args = {0};
202 args.cert = ud;
203 ssl_server(sock, &args);
204 return OK;
205 }
206
207 #define DEFSESS (ne_session_create("https", "localhost", 7777))
208
make_ssl_session_port(ne_session ** sess,const char * hostname,int port,server_fn fn,void * userdata)209 static int make_ssl_session_port(ne_session **sess,
210 const char *hostname, int port,
211 server_fn fn, void *userdata)
212 {
213 return fakeproxied_session_server(sess, "https", hostname, port,
214 fn, userdata);
215 }
216
make_ssl_session(ne_session ** sess,const char * hostname,server_fn fn,void * userdata)217 static int make_ssl_session(ne_session **sess, const char *hostname,
218 server_fn fn, void *userdata)
219 {
220 return make_ssl_session_port(sess,
221 hostname ? hostname : "localhost", 7777,
222 fn, userdata);
223 }
224
225 /* Runs SSL server which will accept 'count' connections, running
226 * ssl_server as callback with given 'args'. */
multi_ssl_session(int count,ne_session ** sess,struct ssl_server_args * args)227 static int multi_ssl_session(int count, ne_session **sess,
228 struct ssl_server_args *args)
229 {
230 return fakeproxied_multi_session_server(count, sess, "https",
231 "localhost",
232 7777,
233 ssl_server, args);
234 }
235
236
load_and_trust_cert(ne_session * sess,const char * ca_cert)237 static int load_and_trust_cert(ne_session *sess, const char *ca_cert)
238 {
239 ne_ssl_certificate *ca = ne_ssl_cert_read(ca_cert);
240 ONV(ca == NULL, ("could not load CA cert `%s'", ca_cert));
241 ne_ssl_trust_cert(sess, ca);
242 ne_ssl_cert_free(ca);
243 return OK;
244 }
245
make_ssl_request(struct ssl_server_args * args,const char * ca_cert,const char * hostname,ne_ssl_verify_fn verify_fn,void * verify_ud)246 static int make_ssl_request(struct ssl_server_args *args,
247 const char *ca_cert, const char *hostname,
248 ne_ssl_verify_fn verify_fn, void *verify_ud)
249 {
250 ne_session *sess;
251
252 CALL(make_ssl_session(&sess, hostname, ssl_server, args));
253
254 if (ca_cert) CALL(load_and_trust_cert(sess, ca_cert));
255
256 if (verify_fn) ne_ssl_set_verify(sess, verify_fn, verify_ud);
257
258 CALL(any_2xx_request(sess, "/foo"));
259
260 return destroy_and_wait(sess);
261 }
262
263 /* Run a request in the given session. */
any_ssl_request(ne_session * sess,server_fn fn,void * server_ud,char * ca_cert,ne_ssl_verify_fn verify_fn,void * verify_ud)264 static int any_ssl_request(ne_session *sess, server_fn fn, void *server_ud,
265 char *ca_cert,
266 ne_ssl_verify_fn verify_fn, void *verify_ud)
267 {
268 if (ca_cert) {
269 CALL(load_and_trust_cert(sess, ca_cert));
270 }
271
272 CALL(spawn_server(7777, fn, server_ud));
273
274 if (verify_fn)
275 ne_ssl_set_verify(sess, verify_fn, verify_ud);
276
277 ONREQ(any_request(sess, "/foo"));
278
279 return await_server();
280 }
281
init(void)282 static int init(void)
283 {
284 /* take srcdir as argv[1] for VPATH builds. */
285 if (test_argc > 1) {
286 srcdir = test_argv[1];
287 }
288
289 /* take srcdir as argv[1]. */
290 server_key = "server.key";
291
292 if (ne_sock_init()) {
293 t_context("could not initialize socket/SSL library.");
294 return FAILHARD;
295 }
296
297 def_ca_cert = ne_ssl_cert_read(CA_CERT);
298 if (def_ca_cert == NULL) {
299 t_context("couldn't load CA cert %s", CA_CERT);
300 return FAILHARD;
301 }
302
303 def_server_cert = ne_ssl_cert_read(SERVER_CERT);
304 if (def_server_cert == NULL) {
305 t_context("couldn't load server cert %s", SERVER_CERT);
306 return FAILHARD;
307 }
308
309 /* tests for the encrypted client cert, client.p12 */
310 def_cli_cert = ne_ssl_clicert_read("client.p12");
311 if (def_cli_cert == NULL) {
312 t_context("could not load client.p12");
313 return FAILHARD;
314 }
315
316 if (!ne_ssl_clicert_encrypted(def_cli_cert)) {
317 ne_ssl_clicert_free(def_cli_cert);
318 def_cli_cert = NULL;
319 t_context("client.p12 is not encrypted!?");
320 return FAIL;
321 }
322
323 if (ne_ssl_clicert_decrypt(def_cli_cert, P12_PASSPHRASE)) {
324 ne_ssl_clicert_free(def_cli_cert);
325 def_cli_cert = NULL;
326 t_context("failed to decrypt client.p12");
327 return FAIL;
328 }
329
330 nul_cn_fn = ne_concat(srcdir, "/nulcn.pem", NULL);
331
332 return OK;
333 }
334
335 /* just check the result codes of loading server certs. */
load_server_certs(void)336 static int load_server_certs(void)
337 {
338 ne_ssl_certificate *cert;
339
340 cert = ne_ssl_cert_read("Makefile");
341 ONN("invalid CA cert file loaded successfully", cert != NULL);
342
343 cert = ne_ssl_cert_read("nonesuch.pem");
344 ONN("non-existent 'nonesuch.pem' loaded successfully", cert != NULL);
345
346 cert = ne_ssl_cert_read("ssigned.pem");
347 ONN("could not load ssigned.pem", cert == NULL);
348 ne_ssl_cert_free(cert);
349
350 return OK;
351 }
352
trust_default_ca(void)353 static int trust_default_ca(void)
354 {
355 ne_session *sess = DEFSESS;
356 ne_ssl_trust_default_ca(sess);
357 ne_session_destroy(sess);
358 return OK;
359 }
360
361 #define CC_NAME "Just A Neon Client Cert"
362
363 /* Tests for loading client certificates */
load_client_cert(void)364 static int load_client_cert(void)
365 {
366 ne_ssl_client_cert *cc;
367 const ne_ssl_certificate *cert;
368 const char *name;
369
370 cc = ne_ssl_clicert_read("client.p12");
371 ONN("could not load client.p12", cc == NULL);
372 ONN("client.p12 not encrypted!?", !ne_ssl_clicert_encrypted(cc));
373 name = ne_ssl_clicert_name(cc);
374 if (name == NULL) {
375 t_warning("no friendly name given");
376 } else {
377 ONV(strcmp(name, CC_NAME), ("friendly name was %s not %s", name, CC_NAME));
378 }
379 ONN("failed to decrypt", ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
380 ne_ssl_clicert_free(cc);
381
382 cc = ne_ssl_clicert_read("client.p12");
383 ONN("decrypted client.p12 with incorrect password!?",
384 ne_ssl_clicert_decrypt(cc, "barfoo") == 0);
385 ne_ssl_clicert_free(cc);
386
387 /* tests for the unencrypted client cert, client2.p12 */
388 cc = ne_ssl_clicert_read("unclient.p12");
389 ONN("could not load unencrypted cert unclient.p12", cc == NULL);
390 ONN("unencrypted cert marked encrypted?", ne_ssl_clicert_encrypted(cc));
391 cert = ne_ssl_clicert_owner(cc);
392 ONN("client cert had no certificate", cert == NULL);
393 CALL(check_dname(ne_ssl_cert_subject(cert),
394 "Neon Client Cert, Neon Hackers Ltd, "
395 "Cambridge, Cambridgeshire, GB",
396 "client cert subject"));
397 CALL(check_dname(ne_ssl_cert_issuer(cert), CACERT_DNAME,
398 "client cert issuer"));
399 ne_ssl_clicert_free(cc);
400
401 /* test for ccert without a friendly name, noclient.p12 */
402 cc = ne_ssl_clicert_read("noclient.p12");
403 ONN("could not load noclient.p12", cc == NULL);
404 name = ne_ssl_clicert_name(cc);
405 ONV(name != NULL, ("noclient.p12 had friendly name `%s'", name));
406 ne_ssl_clicert_free(cc);
407
408 /* test for ccert with a bundled CA. */
409 cc = ne_ssl_clicert_read("clientca.p12");
410 ONN("could not load clientca.p12", cc == NULL);
411 ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc));
412 ONN("could not decrypt clientca.p12",
413 ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
414 ne_ssl_clicert_free(cc);
415
416 /* test for ccert without a private key, nkclient.p12 */
417 cc = ne_ssl_clicert_read("nkclient.p12");
418 ONN("did not fail to load clicert without pkey", cc != NULL);
419
420 /* test for ccert without a cert, ncclient.p12 */
421 cc = ne_ssl_clicert_read("ncclient.p12");
422 ONN("did not fail to load clicert without cert", cc != NULL);
423
424 /* tests for loading bogus files. */
425 cc = ne_ssl_clicert_read("Makefile");
426 ONN("loaded Makefile as client cert!?", cc != NULL);
427
428 /* test for loading nonexistent file. */
429 cc = ne_ssl_clicert_read("nosuch.pem");
430 ONN("loaded nonexistent file as client cert!?", cc != NULL);
431
432 return OK;
433 }
434
clicert_import(void)435 static int clicert_import(void)
436 {
437 ne_ssl_client_cert *cc;
438 ne_buffer *buf = ne_buffer_create();
439
440 CALL(file_to_buffer("client.p12", buf));
441
442 cc = ne_ssl_clicert_import((unsigned char *)buf->data, ne_buffer_size(buf));
443 ONN("could not import client cert from buffer", cc == NULL);
444
445 ONN("failed to decrypt", ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
446 ne_ssl_clicert_free(cc);
447 ne_buffer_destroy(buf);
448
449 return OK;
450 }
451
452 /* Test that 'cert', which is signed by CA_CERT, is accepted
453 * unconditionally. */
accept_signed_cert_for_hostname(char * cert,const char * hostname)454 static int accept_signed_cert_for_hostname(char *cert, const char *hostname)
455 {
456 struct ssl_server_args args = {cert, 0};
457
458 /* no verify callback needed. */
459 return make_ssl_request(&args, CA_CERT, hostname, NULL, NULL);
460 }
461
462
accept_signed_cert(char * cert)463 static int accept_signed_cert(char *cert)
464 {
465 return accept_signed_cert_for_hostname(cert, "localhost");
466 }
467
simple(void)468 static int simple(void)
469 {
470 return accept_signed_cert(SERVER_CERT);
471 }
472
473 #if 0 /* No longer works for modern SSL libraries, rightly so. */
474 /* Test for SSL operation when server uses SSLv2 */
475 static int simple_sslv2(void)
476 {
477 ne_session *sess = ne_session_create("https", "localhost", 7777);
478 struct ssl_server_args args = {SERVER_CERT, 0};
479
480 args.use_ssl2 = 1;
481 ne_set_session_flag(sess, NE_SESSFLAG_SSLv2, 1);
482
483 if (ne_get_session_flag(sess, NE_SESSFLAG_SSLv2) != 1) {
484 t_context("no SSLv2 support in SSL library");
485 ne_session_destroy(sess);
486 return SKIP;
487 }
488
489 CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
490 ne_session_destroy(sess);
491 return OK;
492 }
493 #endif
494
495 /* Test read-til-EOF behaviour with SSL. */
simple_eof(void)496 static int simple_eof(void)
497 {
498 struct ssl_server_args args = {SERVER_CERT, 0};
499
500 args.response = "HTTP/1.0 200 OK\r\n"
501 "Connection: close\r\n"
502 "\r\n"
503 "This is a response body, like it or not.";
504
505 return make_ssl_request(&args, CA_CERT, NULL, NULL, NULL);
506 }
507
intermediary(void)508 static int intermediary(void)
509 {
510 struct ssl_server_args args = {CA2_SERVER_CERT, 0};
511
512 return make_ssl_request(&args, CA_CERT, NULL, NULL, NULL);
513 }
514
empty_truncated_eof(void)515 static int empty_truncated_eof(void)
516 {
517 struct ssl_server_args args = {0};
518
519 args.cert = SERVER_CERT;
520 args.response = "HTTP/1.0 200 OK\r\n" "\r\n";
521
522 return make_ssl_request(&args, CA_CERT, NULL, NULL, NULL);
523 }
524
525 /* Server function which just sends a string then EOF. */
just_serve_string(ne_socket * sock,void * userdata)526 static int just_serve_string(ne_socket *sock, void *userdata)
527 {
528 const char *str = userdata;
529 server_send(sock, str, strlen(str));
530 return 0;
531 }
532
533 /* test for the SSL negotiation failing. */
fail_not_ssl(void)534 static int fail_not_ssl(void)
535 {
536 ne_session *sess;
537 int ret;
538
539 CALL(make_ssl_session(&sess, NULL, just_serve_string, "Hello, world.\n"));
540 ret = any_request(sess, "/bar");
541 ONN("request did not fail", ret != NE_ERROR);
542
543 return destroy_and_wait(sess);
544 }
545
wildcard_match(void)546 static int wildcard_match(void)
547 {
548 struct ssl_server_args args = {"wildcard.cert", 0};
549
550 return make_ssl_request(&args, CA_CERT, "bar.example.com", NULL, NULL);
551 }
552
wildcard_match_altname(void)553 static int wildcard_match_altname(void)
554 {
555 struct ssl_server_args args = {"altname9.cert", 0};
556
557 return make_ssl_request(&args, CA_CERT, "foo.example.com", NULL, NULL);
558 }
559
560 /* Check that hostname comparisons are not cases-sensitive. */
caseless_match(void)561 static int caseless_match(void)
562 {
563 return accept_signed_cert("caseless.cert");
564 }
565
566 /* Test that the subjectAltName extension has precedence over the
567 * commonName attribute */
subject_altname(void)568 static int subject_altname(void)
569 {
570 return accept_signed_cert("altname1.cert");
571 }
572
573 /* tests for multiple altNames. */
two_subject_altname(void)574 static int two_subject_altname(void)
575 {
576 return accept_signed_cert("altname2.cert");
577 }
578
two_subject_altname2(void)579 static int two_subject_altname2(void)
580 {
581 return accept_signed_cert("altname3.cert");
582 }
583
584 /* Test that a subject altname with *only* an eMail entry is
585 * ignored, and the commonName is used instead. */
notdns_altname(void)586 static int notdns_altname(void)
587 {
588 return accept_signed_cert("altname4.cert");
589 }
590
ipaddr_altname(void)591 static int ipaddr_altname(void)
592 {
593 return accept_signed_cert_for_hostname("altname5.cert", "127.0.0.1");
594 }
595
uri_altname(void)596 static int uri_altname(void)
597 {
598 return accept_signed_cert_for_hostname("altname7.cert", "localhost");
599 }
600
601 /* test that the *most specific* commonName attribute is used. */
multi_commonName(void)602 static int multi_commonName(void)
603 {
604 return accept_signed_cert("twocn.cert");
605 }
606
607 /* regression test for neon <= 0.23.4 where if commonName was the first
608 * RDN in the subject DN, it was ignored. */
commonName_first(void)609 static int commonName_first(void)
610 {
611 return accept_signed_cert("cnfirst.cert");
612 }
613
check_dname(const ne_ssl_dname * dn,const char * expected,const char * which)614 static int check_dname(const ne_ssl_dname *dn, const char *expected,
615 const char *which)
616 {
617 char *dname;
618
619 ONV(dn == NULL, ("certificate %s dname was NULL", which));
620
621 dname = ne_ssl_readable_dname(dn);
622
623 NE_DEBUG(NE_DBG_SSL, "Got dname `%s', expecting `%s'\n", dname, expected);
624
625 ONV(!dname || strcmp(dname, expected),
626 ("certificate %s dname was `%s' not `%s'", which, dname, expected));
627
628 ne_free(dname);
629
630 return 0;
631 }
632
633 /* Check that the readable subject issuer dnames of 'cert' match
634 * 'subject' and 'issuer' (if non-NULL). */
check_cert_dnames(const ne_ssl_certificate * cert,const char * subject,const char * issuer)635 static int check_cert_dnames(const ne_ssl_certificate *cert,
636 const char *subject, const char *issuer)
637 {
638 ONN("no server certificate presented", cert == NULL);
639 CALL(check_dname(ne_ssl_cert_subject(cert), subject, "subject"));
640 return issuer ? check_dname(ne_ssl_cert_issuer(cert), issuer, "issuer") : OK;
641 }
642
643 /* Verify callback which checks that the certificate presented has the
644 * predetermined subject and issuer DN (as per makekeys.sh). */
check_cert(void * userdata,int fs,const ne_ssl_certificate * cert)645 static int check_cert(void *userdata, int fs, const ne_ssl_certificate *cert)
646 {
647 int *ret = userdata;
648
649 if (check_cert_dnames(cert, SERVER_DNAME, CACERT_DNAME) == FAIL)
650 *ret = -1;
651 else
652 *ret = 1;
653
654 return 0;
655 }
656
657 /* Check that certificate attributes are passed correctly. */
parse_cert(void)658 static int parse_cert(void)
659 {
660 struct ssl_server_args args = {SERVER_CERT, 0};
661 int ret = 0;
662
663 /* don't give a CA cert; should force the verify callback to be
664 * used. */
665 CALL(make_ssl_request(&args, NULL, NULL, check_cert, &ret));
666
667 ONN("cert verification never called", ret == 0);
668
669 if (ret == -1)
670 return FAIL;
671
672 return OK;
673 }
674
675 #define WRONGCN_DNAME "Bad Hostname Department, Neon Hackers Ltd, " \
676 "Cambridge, Cambridgeshire, GB"
677
678 /* Check the certificate chain presented against known dnames. */
check_chain(void * userdata,int fs,const ne_ssl_certificate * cert)679 static int check_chain(void *userdata, int fs, const ne_ssl_certificate *cert)
680 {
681 int *ret = userdata;
682
683 if (check_cert_dnames(cert, WRONGCN_DNAME, CACERT_DNAME) == FAIL) {
684 *ret = -1;
685 return 0;
686 }
687
688 cert = ne_ssl_cert_signedby(cert);
689 if (cert == NULL) {
690 t_context("no CA cert in chain");
691 *ret = -1;
692 return 0;
693 }
694
695 if (check_cert_dnames(cert, CACERT_DNAME, CACERT_DNAME) == FAIL) {
696 *ret = -1;
697 return 0;
698 }
699
700 *ret = 1;
701 return 0;
702 }
703
704 /* Check that certificate attributes are passed correctly. */
parse_chain(void)705 static int parse_chain(void)
706 {
707 int ret = 0;
708 struct ssl_server_args args = {"wrongcn.cert", 0};
709
710 args.ca_list = CA_CERT;
711
712 /* The cert is signed by the CA but has a CN mismatch, so will
713 * force the verification callback to be invoked. */
714 CALL(make_ssl_request(&args, CA_CERT, NULL, check_chain, &ret));
715
716 ONN("cert verification never called", ret == 0);
717
718 if (ret == -1)
719 return FAIL;
720
721 return OK;
722 }
723
724
count_vfy(void * userdata,int fs,const ne_ssl_certificate * c)725 static int count_vfy(void *userdata, int fs, const ne_ssl_certificate *c)
726 {
727 int *count = userdata;
728 (*count)++;
729 return 0;
730 }
731
no_verify(void)732 static int no_verify(void)
733 {
734 int count = 0;
735 struct ssl_server_args args = {SERVER_CERT, 0};
736
737 CALL(make_ssl_request(&args, CA_CERT, NULL, count_vfy, &count));
738
739 ONN("verify callback called unnecessarily", count != 0);
740
741 return OK;
742 }
743
744 /* Checks that the verify callback is only called on the first
745 * connection to the SSL server, and not on subsequent connections. */
cache_verify(void)746 static int cache_verify(void)
747 {
748 ne_session *sess;
749 int count = 0;
750 struct ssl_server_args args = {SERVER_CERT, 0};
751
752 CALL(multi_ssl_session(2, &sess, &args));
753
754 ne_ssl_set_verify(sess, count_vfy, &count);
755
756 ONREQ(any_request(sess, "/foo-alpha"));
757 ONREQ(any_request(sess, "/foo-beta"));
758
759 ONV(count != 1,
760 ("verify callback result not cached: called %d times", count));
761
762 ne_session_destroy(sess);
763
764 return OK;
765 }
766
767 /* Copy failures into *userdata, and fail verification. */
get_failures(void * userdata,int fs,const ne_ssl_certificate * c)768 static int get_failures(void *userdata, int fs, const ne_ssl_certificate *c)
769 {
770 int *out = userdata;
771 *out = fs;
772 return -1;
773 }
774
775 /* Helper function for expected-to-fail SSL tests.
776 *
777 * An SSL server is spawned using 'cert' and 'key' as the key pair.
778 * The client will trust CA cert 'cacert', and use 'host' as the server
779 * name. If realhost is non-NULL, this address will be used to connect
780 * to in favour of host; the server is otherwise identified as 'host'.
781 * 'msg' must be a substring of the error string.
782 * 'failures' must equal the failure bitmask passed to the verify
783 * callback in the client.
784 * If none of the expected conditions is met, 'errstr' will be
785 * used in the test failure context.
786 */
fail_ssl_request_with_error2(char * cert,char * key,char * cacert,const char * host,const char * realhost,const char * msg,int failures,const char * errstr)787 static int fail_ssl_request_with_error2(char *cert, char *key, char *cacert,
788 const char *host, const char *realhost,
789 const char *msg, int failures,
790 const char *errstr)
791 {
792 ne_session *sess = ne_session_create("https", host, 7777);
793 int gotf = 0, ret;
794 struct ssl_server_args args = {0};
795 ne_sock_addr *addr = NULL;
796 const ne_inet_addr **list = NULL;
797
798 if (realhost) {
799 size_t n;
800 const ne_inet_addr *ia;
801
802 addr = ne_addr_resolve(realhost, 0);
803
804 ONV(ne_addr_result(addr),
805 ("fake hostname lookup failed for %s", realhost));
806
807 NE_DEBUG(NE_DBG_SSL, "ssl: Using fake hostname '%s'\n", realhost);
808
809 for (n = 0, ia = ne_addr_first(addr); ia; ia = ne_addr_next(addr))
810 n++;
811
812 NE_DEBUG(NE_DBG_SSL, "ssl: Address count '%lu'\n", n);
813
814 list = ne_calloc(n * sizeof(*list));
815
816 for (n = 0, ia = ne_addr_first(addr); ia; ia = ne_addr_next(addr))
817 list[n++] = ia;
818
819 ne_set_addrlist(sess, list, n);
820 }
821
822 args.cert = cert;
823 args.key = key;
824 args.fail_silently = 1;
825
826 ret = any_ssl_request(sess, ssl_server, &args, cacert,
827 get_failures, &gotf);
828
829 ONV(gotf == 0,
830 ("no error in verification callback; request rv %d error string: %s",
831 ret, ne_get_error(sess)));
832
833 ONV(gotf & ~NE_SSL_FAILMASK,
834 ("verification flags %x outside mask %x", gotf, NE_SSL_FAILMASK));
835
836 /* check the failure flags were as expected. */
837 ONV(failures != gotf,
838 ("verification flags were %d not %d", gotf, failures));
839
840 /* and check that the request was failed too. */
841 ONV(ret == NE_OK, ("%s", msg));
842
843 ONV(errstr && strstr(ne_get_error(sess), errstr) == NULL,
844 ("unexpected failure message '%s', wanted '%s'",
845 ne_get_error(sess), errstr));
846
847 ne_session_destroy(sess);
848 if (addr) ne_addr_destroy(addr);
849 if (list) ne_free(list);
850
851 return OK;
852 }
853
854 /* Helper function: run a request using the given self-signed server
855 * certificate, and expect the request to fail with the given
856 * verification failure flags. */
fail_ssl_request_with_error(char * cert,char * cacert,const char * host,const char * msg,int failures,const char * errstr)857 static int fail_ssl_request_with_error(char *cert, char *cacert, const char *host,
858 const char *msg, int failures,
859 const char *errstr)
860 {
861 return fail_ssl_request_with_error2(cert, NULL, cacert, host, NULL,
862 msg, failures, errstr);
863 }
864
865
866 /* Helper function: run a request using the given self-signed server
867 * certificate, and expect the request to fail with the given
868 * verification failure flags. */
fail_ssl_request(char * cert,char * cacert,const char * host,const char * msg,int failures)869 static int fail_ssl_request(char *cert, char *cacert, const char *host,
870 const char *msg, int failures)
871 {
872 return fail_ssl_request_with_error(cert, cacert, host, msg, failures,
873 NULL);
874 }
875
876 /* Note that the certs used for fail_* are mostly self-signed, so the
877 * cert is passed as CA cert and server cert to fail_ssl_request. */
878
879 /* Check that a certificate with the incorrect commonName attribute is
880 * flagged as such. */
fail_wrongCN(void)881 static int fail_wrongCN(void)
882 {
883 return fail_ssl_request_with_error("wrongcn.cert", "ca/cert.pem", "localhost",
884 "certificate with incorrect CN was accepted",
885 NE_SSL_IDMISMATCH,
886 "certificate issued for a different hostname");
887
888 }
889
890 #define SRCDIR(s) ne_concat(srcdir, "/" s, NULL)
891
892 #if 0
893 static int fail_nul_cn(void)
894 {
895 char *key = SRCDIR("nulsrv.key"), *ca = SRCDIR("nulca.pem");
896 CALL(fail_ssl_request_with_error2(nul_cn_fn, key, ca,
897 "www.bank.com", "localhost",
898 "certificate with incorrect CN was accepted",
899 NE_SSL_IDMISMATCH|NE_SSL_EXPIRED|NE_SSL_BADCHAIN,
900 "certificate issued for a different hostname"));
901 ne_free(key);
902 ne_free(ca);
903 return OK;
904 }
905
906 static int fail_nul_san(void)
907 {
908 char *cert = SRCDIR("nulsan.pem"), *key = SRCDIR("nulsrv.key"),
909 *ca = SRCDIR("nulca.pem");
910 CALL(fail_ssl_request_with_error2(cert, key, ca,
911 "www.bank.com", "localhost",
912 "certificate with incorrect CN was accepted",
913 NE_SSL_IDMISMATCH|NE_SSL_EXPIRED|NE_SSL_BADCHAIN,
914 "certificate issued for a different hostname"));
915 ne_free(cert);
916 ne_free(key);
917 ne_free(ca);
918 return OK;
919 }
920 #endif
921
922 /* Check that an expired certificate is flagged as such. */
fail_expired(void)923 static int fail_expired(void)
924 {
925 return fail_ssl_request_with_error("expired.cert", CA_CERT, "localhost",
926 "expired certificate was accepted",
927 NE_SSL_EXPIRED,
928 "certificate has expired");
929 }
930
fail_notvalid(void)931 static int fail_notvalid(void)
932 {
933 return fail_ssl_request_with_error("notyet.cert", CA_CERT, "localhost",
934 "not yet valid certificate was accepted",
935 NE_SSL_NOTYETVALID,
936 "certificate is not yet valid");
937 }
938
939 /* Check that a server cert with a random issuer and self-signed cert
940 * fail with UNTRUSTED. */
fail_untrusted_ca(void)941 static int fail_untrusted_ca(void)
942 {
943 return fail_ssl_request_with_error("server.cert", NULL, "localhost",
944 "untrusted CA.", NE_SSL_UNTRUSTED,
945 "issuer is not trusted");
946 }
947
fail_self_signed(void)948 static int fail_self_signed(void)
949 {
950 return fail_ssl_request("ssigned.pem", NULL, "localhost",
951 "self-signed cert", NE_SSL_UNTRUSTED);
952 }
953
954 /* Test for failure when a server cert is presented which has no
955 * commonName (and no alt names either). */
fail_missing_CN(void)956 static int fail_missing_CN(void)
957 {
958 ne_session *sess = DEFSESS;
959
960 ONN("accepted server cert with missing commonName",
961 any_ssl_request(sess, fail_serve, "missingcn.cert", SERVER_CERT,
962 NULL, NULL) == NE_OK);
963
964 ONV(strstr(ne_get_error(sess), "missing commonName") == NULL,
965 ("unexpected session error `%s'", ne_get_error(sess)));
966
967 ne_session_destroy(sess);
968 return OK;
969 }
970
971 /* test for a bad ipAddress altname */
fail_bad_ipaltname(void)972 static int fail_bad_ipaltname(void)
973 {
974 return fail_ssl_request("altname6.cert", CA_CERT, "127.0.0.1",
975 "bad IP altname cert", NE_SSL_IDMISMATCH);
976 }
977
978 /* test for a ipAddress which matched against the hostname as per neon
979 * 0.24 behaviour. */
fail_host_ipaltname(void)980 static int fail_host_ipaltname(void)
981 {
982 return fail_ssl_request("altname5.cert", CA_CERT, "localhost",
983 "bad IP altname cert", NE_SSL_IDMISMATCH);
984 }
985
fail_bad_urialtname(void)986 static int fail_bad_urialtname(void)
987 {
988 return fail_ssl_request("altname8.cert", CA_CERT, "localhost",
989 "bad URI altname cert", NE_SSL_IDMISMATCH);
990 }
991
fail_wildcard(void)992 static int fail_wildcard(void)
993 {
994 return fail_ssl_request("altname9.cert", CA_CERT, "localhost",
995 "subjaltname not honored", NE_SSL_IDMISMATCH);
996 }
997
fail_wildcard_ip(void)998 static int fail_wildcard_ip(void)
999 {
1000 return fail_ssl_request("wildip.cert", CA_CERT, "127.0.0.1",
1001 "wildcard IP", NE_SSL_IDMISMATCH);
1002 }
1003
fail_ca_expired(void)1004 static int fail_ca_expired(void)
1005 {
1006 return fail_ssl_request_with_error("ca1server.cert", "ca1/cert.pem",
1007 "localhost", "issuer ca expired",
1008 NE_SSL_BADCHAIN,
1009 "bad certificate chain");
1010 }
1011
fail_ca_notyetvalid(void)1012 static int fail_ca_notyetvalid(void)
1013 {
1014 return fail_ssl_request("ca3server.cert", "ca3/cert.pem", "localhost",
1015 "issuer ca not yet valid", NE_SSL_BADCHAIN);
1016 }
1017
1018 #if 0
1019 /* Test that the SSL session is cached across connections. */
1020 static int session_cache(void)
1021 {
1022 struct ssl_server_args args = {0};
1023 ne_session *sess;
1024
1025 args.cert = SERVER_CERT;
1026 args.cache = 1;
1027
1028 CALL(multi_session_server(&sess, "https", "localhost",
1029 2, ssl_server, &args));
1030
1031 ne_ssl_trust_cert(sess, def_ca_cert);
1032
1033 ONREQ(any_request(sess, "/req1"));
1034 ONREQ(any_request(sess, "/req2"));
1035
1036 return destroy_and_wait(sess);
1037 }
1038 #endif
1039
1040 /* Callback for client_cert_provider; takes a c. cert as userdata and
1041 * registers it. */
ccert_provider(void * userdata,ne_session * sess,const ne_ssl_dname * const * dns,int dncount)1042 static void ccert_provider(void *userdata, ne_session *sess,
1043 const ne_ssl_dname *const *dns, int dncount)
1044 {
1045 const ne_ssl_client_cert *cc = userdata;
1046 ne_ssl_set_clicert(sess, cc);
1047 }
1048
1049 /* Test that the on-demand client cert provider callback is used. */
client_cert_provided(void)1050 static int client_cert_provided(void)
1051 {
1052 ne_session *sess = DEFSESS;
1053 ne_ssl_client_cert *cc;
1054 struct ssl_server_args args = {SERVER_CERT, NULL};
1055
1056 args.require_cc = 1;
1057
1058 cc = ne_ssl_clicert_read("client.p12");
1059 ONN("could not load client.p12", cc == NULL);
1060 ONN("could not decrypt client.p12",
1061 ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
1062
1063 ne_ssl_provide_clicert(sess, ccert_provider, cc);
1064 CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT,
1065 NULL, NULL));
1066
1067 ne_session_destroy(sess);
1068 ne_ssl_clicert_free(cc);
1069 return OK;
1070 }
1071
1072 #define DN_COUNT 5
1073
cc_check_dnames(void * userdata,ne_session * sess,const ne_ssl_dname * const * dns,int dncount)1074 static void cc_check_dnames(void *userdata, ne_session *sess,
1075 const ne_ssl_dname *const *dns, int dncount)
1076 {
1077 int n, *ret = userdata;
1078 static const char *expected[DN_COUNT] = {
1079 CACERT_DNAME,
1080 "First Random CA, CAs Ltd., Lincoln, Lincolnshire, GB",
1081 "Second Random CA, CAs Ltd., Falmouth, Cornwall, GB",
1082 "Third Random CA, CAs Ltd., Ipswich, Suffolk, GB",
1083 "Fourth Random CA, CAs Ltd., Norwich, Norfolk, GB"
1084 };
1085
1086 ne_ssl_set_clicert(sess, def_cli_cert);
1087
1088 if (dncount != DN_COUNT) {
1089 t_context("dname count was %d not %d", dncount,
1090 DN_COUNT);
1091 *ret = -1;
1092 return;
1093 }
1094
1095 for (n = 0; n < DN_COUNT; n++) {
1096 char which[5];
1097
1098 sprintf(which, "%d", n);
1099
1100 if (check_dname(dns[n], expected[n], which) == FAIL) {
1101 *ret = -1;
1102 return;
1103 }
1104 }
1105
1106 *ret = 1;
1107 }
1108
1109 /* Test for the list of acceptable dnames sent to the client. */
cc_provided_dnames(void)1110 static int cc_provided_dnames(void)
1111 {
1112 int check = 0;
1113 ne_session *sess = DEFSESS;
1114 struct ssl_server_args args = {SERVER_CERT, NULL};
1115
1116 args.require_cc = 1;
1117 args.ca_list = "calist.pem";
1118
1119 PRECOND(def_cli_cert);
1120
1121 ne_ssl_provide_clicert(sess, cc_check_dnames, &check);
1122
1123 CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
1124
1125 ne_session_destroy(sess);
1126
1127 ONN("provider function not called", check == 0);
1128
1129 return (check == -1) ? FAIL : OK;
1130 }
1131
1132 /* Tests use of a client certificate. */
client_cert_pkcs12(void)1133 static int client_cert_pkcs12(void)
1134 {
1135 ne_session *sess = DEFSESS;
1136 struct ssl_server_args args = {SERVER_CERT, NULL};
1137
1138 args.require_cc = 1;
1139
1140 PRECOND(def_cli_cert);
1141
1142 ne_ssl_set_clicert(sess, def_cli_cert);
1143 CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
1144
1145 ne_session_destroy(sess);
1146 return OK;
1147 }
1148
1149 /* Test use of a PKCS#12 cert with an embedded CA cert - fails with <=
1150 * 0.28.3 in GnuTLS build. */
client_cert_ca(void)1151 static int client_cert_ca(void)
1152 {
1153 ne_session *sess = DEFSESS;
1154 struct ssl_server_args args = {SERVER_CERT, NULL};
1155 ne_ssl_client_cert *cc;
1156
1157 args.require_cc = 1;
1158
1159 cc = ne_ssl_clicert_read("clientca.p12");
1160 ONN("could not load clientca.p12", cc == NULL);
1161 ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc));
1162 ONN("could not decrypt clientca.p12",
1163 ne_ssl_clicert_decrypt(cc, P12_PASSPHRASE));
1164
1165 ne_ssl_set_clicert(sess, cc);
1166 CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
1167
1168 ne_ssl_clicert_free(cc);
1169
1170 ne_session_destroy(sess);
1171 return OK;
1172 }
1173
1174 /* Tests use of an unencrypted client certificate. */
ccert_unencrypted(void)1175 static int ccert_unencrypted(void)
1176 {
1177 ne_session *sess = DEFSESS;
1178 ne_ssl_client_cert *ccert;
1179 struct ssl_server_args args = {SERVER_CERT, NULL};
1180
1181 args.require_cc = 1;
1182
1183 ccert = ne_ssl_clicert_read("unclient.p12");
1184 ONN("could not load unclient.p12", ccert == NULL);
1185 ONN("unclient.p12 was encrypted", ne_ssl_clicert_encrypted(ccert));
1186
1187 ne_ssl_set_clicert(sess, ccert);
1188 CALL(any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL));
1189
1190 ne_ssl_clicert_free(ccert);
1191 ne_session_destroy(sess);
1192 return OK;
1193 }
1194
1195 #define NOCERT_MESSAGE "client certificate was requested"
1196 /* random SSL read may fail like this with TLSv1.3 */
1197 #define NOCERT_ALT "certificate required"
1198
1199 /* Tests for useful error message if a handshake fails where a client
1200 * cert was requested. */
no_client_cert(void)1201 static int no_client_cert(void)
1202 {
1203 ne_session *sess;
1204 struct ssl_server_args args = {SERVER_CERT, NULL};
1205 int ret;
1206
1207 args.require_cc = 1;
1208 args.fail_silently = 1;
1209
1210 CALL(make_ssl_session(&sess, NULL, ssl_server, &args));
1211
1212 ne_ssl_trust_cert(sess, def_ca_cert);
1213
1214 ret = any_request(sess, "/failme");
1215
1216 ONV(ret != NE_ERROR,
1217 ("unexpected result %d: %s", ret, ne_get_error(sess)));
1218
1219 ONV(strstr(ne_get_error(sess), NOCERT_MESSAGE) == NULL
1220 && strstr(ne_get_error(sess), NOCERT_ALT) == NULL,
1221 ("error message was '%s', missing '%s'",
1222 ne_get_error(sess), NOCERT_MESSAGE));
1223
1224 reap_server();
1225
1226 ne_session_destroy(sess);
1227 return OK;
1228 }
1229
1230 /* non-zero if a server auth header was received */
1231 static int got_server_auth;
1232
1233 /* Utility function which accepts the 'tunnel' header. */
tunnel_header(char * value)1234 static void tunnel_header(char *value)
1235 {
1236 got_server_auth = 1;
1237 }
1238
1239 /* Server which acts as a proxy accepting a CONNECT request. */
serve_tunnel(ne_socket * sock,void * ud)1240 static int serve_tunnel(ne_socket *sock, void *ud)
1241 {
1242 struct ssl_server_args *args = ud;
1243
1244 /* check for a server auth function */
1245 want_header = "Authorization";
1246 got_header = tunnel_header;
1247 got_server_auth = 0;
1248
1249 /* give the plaintext tunnel reply, acting as the proxy */
1250 CALL(discard_request(sock));
1251
1252 if (got_server_auth) {
1253 SEND_STRING(sock, "HTTP/1.1 500 Leaked Server Auth Creds\r\n"
1254 "Content-Length: 0\r\n" "Server: serve_tunnel\r\n\r\n");
1255 return 0;
1256 } else {
1257 SEND_STRING(sock, "HTTP/1.1 200 OK\r\nServer: serve_tunnel\r\n\r\n");
1258 return ssl_server(sock, args);
1259 }
1260 }
1261
1262 /* neon versions <= 0.21.2 segfault here because ne_sock_close would
1263 * be called twice on the socket after the server cert verification
1264 * fails. */
fail_tunnel(void)1265 static int fail_tunnel(void)
1266 {
1267 ne_session *sess = ne_session_create("https", "example.com", 443);
1268 struct ssl_server_args args = {SERVER_CERT, NULL};
1269
1270 ne_session_proxy(sess, "localhost", 7777);
1271
1272 ONN("server cert verification didn't fail",
1273 any_ssl_request(sess, serve_tunnel, &args, CA_CERT,
1274 NULL, NULL) != NE_ERROR);
1275
1276 ne_session_destroy(sess);
1277 return OK;
1278 }
1279
proxy_tunnel(void)1280 static int proxy_tunnel(void)
1281 {
1282 ne_session *sess = ne_session_create("https", "localhost", 443);
1283 struct ssl_server_args args = {SERVER_CERT, NULL};
1284
1285 ne_session_proxy(sess, "localhost", 7777);
1286
1287 /* CA cert is trusted, so no verify callback should be needed. */
1288 CALL(any_ssl_request(sess, serve_tunnel, &args, CA_CERT,
1289 NULL, NULL));
1290
1291 ne_session_destroy(sess);
1292 return OK;
1293 }
1294
1295 #define RESP_0LENGTH "HTTP/1.1 200 OK\r\n" "Content-Length: 0\r\n" "\r\n"
1296
1297 /* a tricky test which requires spawning a second server process in
1298 * time for a new connection after a 407. */
apt_post_send(ne_request * req,void * ud,const ne_status * st)1299 static int apt_post_send(ne_request *req, void *ud, const ne_status *st)
1300 {
1301 int *code = ud;
1302 if (st->code == *code) {
1303 struct ssl_server_args args = {SERVER_CERT, NULL};
1304
1305 if (*code == 407) args.numreqs = 2;
1306 args.response = RESP_0LENGTH;
1307
1308 NE_DEBUG(NE_DBG_HTTP, "Got challenge, awaiting server...\n");
1309 CALL(await_server());
1310 NE_DEBUG(NE_DBG_HTTP, "Spawning proper tunnel server...\n");
1311 /* serve *two* 200 OK responses. */
1312 CALL(spawn_server(7777, serve_tunnel, &args));
1313 NE_DEBUG(NE_DBG_HTTP, "Spawned.\n");
1314 }
1315 return OK;
1316 }
1317
apt_creds(void * userdata,const char * realm,int attempt,char * username,char * password)1318 static int apt_creds(void *userdata, const char *realm, int attempt,
1319 char *username, char *password)
1320 {
1321 strcpy(username, "foo");
1322 strcpy(password, "bar");
1323 return attempt;
1324 }
1325
1326 /* Test for using SSL over a CONNECT tunnel via a proxy server which
1327 * requires authentication. Broke briefly between 0.23.x and
1328 * 0.24.0. */
auth_proxy_tunnel(void)1329 static int auth_proxy_tunnel(void)
1330 {
1331 ne_session *sess = ne_session_create("https", "localhost", 443);
1332 int ret, code = 407;
1333
1334 ne_session_proxy(sess, "localhost", 7777);
1335 ne_hook_post_send(sess, apt_post_send, &code);
1336 ne_set_proxy_auth(sess, apt_creds, NULL);
1337 ne_ssl_trust_cert(sess, def_ca_cert);
1338
1339 CALL(spawn_server(7777, single_serve_string,
1340 "HTTP/1.0 407 I WANT MORE BISCUITS\r\n"
1341 "Proxy-Authenticate: Basic realm=\"bigbluesea\"\r\n"
1342 "Connection: close\r\n" "\r\n"));
1343
1344 /* run two requests over the tunnel. */
1345 ret = any_2xx_request(sess, "/foobar");
1346 if (!ret) ret = any_2xx_request(sess, "/foobar2");
1347 CALL(ret);
1348
1349 return destroy_and_wait(sess);
1350 }
1351
1352 /* Regression test to check that server credentials aren't sent to the
1353 * proxy in a CONNECT request. */
auth_tunnel_creds(void)1354 static int auth_tunnel_creds(void)
1355 {
1356 ne_session *sess = ne_session_create("https", "localhost", 443);
1357 int code = 401;
1358 struct ssl_server_args args = {SERVER_CERT, 0};
1359
1360 ne_session_proxy(sess, "localhost", 7777);
1361 ne_hook_post_send(sess, apt_post_send, &code);
1362 ne_set_server_auth(sess, apt_creds, NULL);
1363 ne_ssl_trust_cert(sess, def_ca_cert);
1364
1365 args.response = "HTTP/1.1 401 I want a Shrubbery\r\n"
1366 "WWW-Authenticate: Basic realm=\"bigredocean\"\r\n"
1367 "Server: Python\r\n" "Content-Length: 0\r\n" "\r\n";
1368
1369 CALL(spawn_server(7777, serve_tunnel, &args));
1370 CALL(any_2xx_request(sess, "/foobar"));
1371
1372 return destroy_and_wait(sess);
1373 }
1374
auth_tunnel_fail(void)1375 static int auth_tunnel_fail(void)
1376 {
1377 ne_session *sess = ne_session_create("https", "localhost", 443);
1378 int ret;
1379
1380 CALL(spawn_server(7777, single_serve_string,
1381 "HTTP/1.1 407 Nyaaaaah\r\n"
1382 "Proxy-Authenticate: GaBoogle\r\n"
1383 "Connection: close\r\n"
1384 "\r\n"));
1385
1386 ne_session_proxy(sess, "localhost", 7777);
1387
1388 ne_set_proxy_auth(sess, apt_creds, NULL);
1389
1390 ret = any_request(sess, "/bar");
1391 ONV(ret != NE_PROXYAUTH, ("bad error code for tunnel failure: %d", ret));
1392
1393 ONV(strstr(ne_get_error(sess), "GaBoogle") == NULL,
1394 ("bad error string for tunnel failure: %s", ne_get_error(sess)));
1395
1396 return destroy_and_wait(sess);
1397 }
1398
1399 /* compare against known digest of notvalid.pem. Via:
1400 * $ openssl x509 -fingerprint -sha1 -noout -in notvalid.pem */
1401 #define THE_DIGEST "cf:5c:95:93:76:c6:3c:01:8b:62:" \
1402 "b1:6f:f7:7f:42:32:ac:e6:69:1b"
1403
cert_fingerprint(void)1404 static int cert_fingerprint(void)
1405 {
1406 char *fn = ne_concat(srcdir, "/notvalid.pem", NULL);
1407 ne_ssl_certificate *cert = ne_ssl_cert_read(fn);
1408 char digest[60];
1409
1410 ne_free(fn);
1411
1412 ONN("could not load notvalid.pem", cert == NULL);
1413
1414 ONN("failed to digest", ne_ssl_cert_digest(cert, digest));
1415 ne_ssl_cert_free(cert);
1416
1417 ONV(strcmp(digest, THE_DIGEST),
1418 ("digest was %s not %s", digest, THE_DIGEST));
1419
1420 return OK;
1421 }
1422
cert_hdigests(void)1423 static int cert_hdigests(void)
1424 {
1425 static const struct {
1426 unsigned int flags;
1427 const char *digest;
1428 } ts[] = {
1429 { NE_HASH_MD5|NE_HASH_COLON, "76:26:eb:db:09:e8:53:5c:79:61:0c:30:3d:77:ed:65" },
1430 { NE_HASH_MD5, "7626ebdb09e8535c79610c303d77ed65" },
1431 { NE_HASH_SHA256, "ea4a4f4f08a91a83e841e772171a2befa3f6e576b5cd9f5cd6d12e9683fe89b3" },
1432 { NE_HASH_SHA512, "35373c533f4000ee9b6173a45eedae732f6c953dcf76f5fba5ffb7be380de559893d0679e94051950be2a5917fa7922fbf50ef10222d5be4eea53ba948cf7703" },
1433 { 0, NULL }
1434 };
1435 unsigned int n, passed = 0;
1436 char *fn = ne_concat(srcdir, "/notvalid.pem", NULL);
1437 ne_ssl_certificate *cert = ne_ssl_cert_read(fn);
1438
1439 ONN("could not load notvalid.pem", cert == NULL);
1440
1441 for (n = 0; ts[n].flags; n++) {
1442 char *dig = ne_ssl_cert_hdigest(cert, ts[n].flags);
1443
1444 /* Can reasonably for almost any hash (either too modern or
1445 * too old), so what can you do? */
1446 if (dig == NULL) {
1447 t_warning("failed to htdigest with flags %u", ts[n].flags);
1448 continue;
1449 }
1450
1451 NE_DEBUG(NE_DBG_SSL, "ssl: hDigest %u got %s, expected %s\n",
1452 ts[n].flags, dig, ts[n].digest);
1453
1454 ONV(strcmp(dig, ts[n].digest),
1455 ("digest was %s not %s", dig, ts[n].digest));
1456
1457 passed++;
1458 ne_free(dig);
1459 }
1460
1461 ONN("no algorithms supported for ne_ssl_cert_hdigest", passed == 0);
1462
1463 ne_ssl_cert_free(cert);
1464 ne_free(fn);
1465
1466 return OK;
1467 }
1468
1469 /* verify that identity of certificate in filename 'fname' is 'identity' */
check_identity(const char * fname,const char * identity)1470 static int check_identity(const char *fname, const char *identity)
1471 {
1472 ne_ssl_certificate *cert = ne_ssl_cert_read(fname);
1473 const char *id;
1474
1475 ONV(cert == NULL, ("could not read cert `%s'", fname));
1476
1477 id = ne_ssl_cert_identity(cert);
1478
1479 if (identity) {
1480 ONV(id == NULL, ("certificate `%s' had no identity", fname));
1481 ONV(strcmp(id, identity),
1482 ("certificate `%s' had identity `%s' not `%s'", fname,
1483 id, identity));
1484 } else {
1485 ONV(id != NULL, ("certificate `%s' had identity `%s' (expected none)",
1486 fname, id));
1487 }
1488
1489 ne_ssl_cert_free(cert);
1490 return OK;
1491 }
1492
1493 /* check certificate identities. */
cert_identities(void)1494 static int cert_identities(void)
1495 {
1496 static const struct {
1497 const char *fname, *identity;
1498 } certs[] = {
1499 { "ssigned.pem", "localhost" },
1500 { "twocn.cert", "localhost" },
1501 { "altname1.cert", "localhost" },
1502 { "altname2.cert", "nohost.example.com" },
1503 { "altname4.cert", "localhost" },
1504 { "ca4.pem", "fourth.example.com" },
1505 { "altname8.cert", "http://nohost.example.com/" },
1506 { NULL, NULL }
1507 };
1508 int n;
1509
1510 for (n = 0; certs[n].fname != NULL; n++)
1511 CALL(check_identity(certs[n].fname, certs[n].identity));
1512
1513 return OK;
1514 }
1515
nulcn_identity(void)1516 static int nulcn_identity(void)
1517 {
1518 ne_ssl_certificate *cert = ne_ssl_cert_read(nul_cn_fn);
1519 const char *id;
1520
1521 ONN("could not read nulcn.pem", cert == NULL);
1522
1523 id = ne_ssl_cert_identity(cert);
1524
1525 ONN("embedded NUL byte not quoted",
1526 id != NULL && strcmp(id, "www.bank.com") == 0);
1527
1528 ne_ssl_cert_free(cert);
1529 return OK;
1530 }
1531
check_validity(const char * fname,const char * from,const char * until)1532 static int check_validity(const char *fname,
1533 const char *from, const char *until)
1534 {
1535 char actfrom[NE_SSL_VDATELEN], actuntil[NE_SSL_VDATELEN];
1536 ne_ssl_certificate *cert;
1537
1538 cert = ne_ssl_cert_read(fname);
1539 ONV(cert == NULL, ("could not load cert `%s'", fname));
1540
1541 /* cover all calling combos for nice coverage analysis */
1542 ne_ssl_cert_validity(cert, NULL, NULL);
1543 ne_ssl_cert_validity(cert, actfrom, NULL);
1544 ne_ssl_cert_validity(cert, NULL, actuntil);
1545 ne_ssl_cert_validity(cert, actfrom, actuntil);
1546
1547 ONV(strcmp(actfrom, from),
1548 ("%s: start time was `%s' not `%s'", fname, actfrom, from));
1549
1550 ONV(strcmp(actuntil, until),
1551 ("%s: end time was `%s' not `%s'", fname, actuntil, until));
1552
1553 ne_ssl_cert_free(cert);
1554 return OK;
1555 }
1556
1557 /* ceritificate validity times. */
cert_validity(void)1558 static int cert_validity(void)
1559 {
1560 char *cert = ne_concat(srcdir, "/expired.pem", NULL);
1561 CALL(check_validity(cert,
1562 "Mon, 21 Jan 2002 20:39:04 GMT", "Thu, 31 Jan 2002 20:39:04 GMT"));
1563 ne_free(cert);
1564 cert = ne_concat(srcdir, "/notvalid.pem", NULL);
1565 CALL(check_validity(cert,
1566 "Wed, 27 Dec 2023 20:40:29 GMT", "Thu, 28 Dec 2023 20:40:29 GMT"));
1567 ne_free(cert);
1568 return OK;
1569 }
1570
1571 /* dname comparisons. */
dname_compare(void)1572 static int dname_compare(void)
1573 {
1574 ne_ssl_certificate *ssigned;
1575 const ne_ssl_dname *dn1, *dn2;
1576
1577 dn1 = ne_ssl_cert_subject(def_server_cert);
1578 dn2 = ne_ssl_cert_subject(def_server_cert);
1579 ONN("identical subject names not equal", ne_ssl_dname_cmp(dn1, dn2) != 0);
1580
1581 dn2 = ne_ssl_cert_issuer(def_server_cert);
1582 ONN("issuer and subject names equal for signed cert",
1583 ne_ssl_dname_cmp(dn1, dn2) == 0);
1584
1585 dn1 = ne_ssl_cert_subject(def_ca_cert);
1586 ONN("issuer of signed cert not equal to subject of CA cert",
1587 ne_ssl_dname_cmp(dn1, dn2) != 0);
1588
1589 ssigned = ne_ssl_cert_read("ssigned.pem");
1590 ONN("could not load ssigned.pem", ssigned == NULL);
1591
1592 dn1 = ne_ssl_cert_subject(ssigned);
1593 dn2 = ne_ssl_cert_issuer(ssigned);
1594 ONN("issuer and subject names not equal for self-signed cert",
1595 ne_ssl_dname_cmp(dn1, dn2));
1596 ne_ssl_cert_free(ssigned);
1597
1598 return OK;
1599 }
1600
1601 /* The dname with the UTF-8 encoding of the Unicode string:
1602 * "H<LATIN SMALL LETTER E WITH GRAVE>llo World". */
1603 #define I18N_DNAME "H\xc3\xa8llo World, Neon Hackers Ltd, Cambridge, Cambridgeshire, GB"
1604
1605 /* N.B. t61subj.cert encodes an ISO-8859-1 string in a T61String
1606 * field, which is strictly wrong but the common usage. */
1607
1608 /* tests for ne_ssl_readable_dname */
dname_readable(void)1609 static int dname_readable(void)
1610 {
1611 struct {
1612 const char *cert;
1613 const char *subjdn, *issuerdn;
1614 } ts[] = {
1615 { "justmail.cert", "blah@example.com", NULL },
1616 { "t61subj.cert", I18N_DNAME, NULL },
1617 { "bmpsubj.cert", I18N_DNAME, NULL },
1618 { "utf8subj.cert", I18N_DNAME, NULL },
1619 { "twoou.cert", "First OU Dept, Second OU Dept, Neon Hackers Ltd, "
1620 "Cambridge, Cambridgeshire, GB", NULL }
1621 };
1622 size_t n;
1623
1624 for (n = 0; n < sizeof(ts)/sizeof(ts[0]); n++) {
1625 ne_ssl_certificate *cert = ne_ssl_cert_read(ts[n].cert);
1626 ONV(cert == NULL, ("could not load cert %s", ts[n].cert));
1627 CALL(check_cert_dnames(cert, ts[n].subjdn, ts[n].issuerdn));
1628 ne_ssl_cert_free(cert);
1629 }
1630
1631 return OK;
1632 }
1633
1634 /* test cert comparisons */
cert_compare(void)1635 static int cert_compare(void)
1636 {
1637 ne_ssl_certificate *c1, *c2;
1638
1639 c1 = ne_ssl_cert_read("server.cert");
1640 c2 = ne_ssl_cert_read("server.cert");
1641 ONN("identical certs don't compare equal", ne_ssl_cert_cmp(c1, c2) != 0);
1642 ONN("identical certs don't compare equal", ne_ssl_cert_cmp(c2, c1) != 0);
1643 ne_ssl_cert_free(c2);
1644
1645 c2 = ne_ssl_cert_read("ssigned.pem");
1646 ONN("different certs don't compare different",
1647 ne_ssl_cert_cmp(c1, c2) == 0);
1648 ONN("different certs don't compare different",
1649 ne_ssl_cert_cmp(c2, c1) == 0);
1650 ne_ssl_cert_free(c2);
1651 ne_ssl_cert_free(c1);
1652
1653 return OK;
1654 }
1655
1656 /* Extract raw base64 string from a PEM file */
flatten_pem(const char * fname,char ** out)1657 static int flatten_pem(const char *fname, char **out)
1658 {
1659 FILE *fp = fopen(fname, "r");
1660 char buf[80];
1661 size_t outlen = 0;
1662 int ignore = 1;
1663
1664 ONV(fp == NULL, ("could not open %s", fname));
1665
1666 *out = NULL;
1667
1668 while (fgets(buf, sizeof buf, fp) != NULL) {
1669 size_t len = strlen(buf) - 1;
1670
1671 if (len < 1) continue;
1672
1673 /* look for the wrapper lines. */
1674 if (strncmp(buf, "-----", 5) == 0) {
1675 ignore = !ignore;
1676 continue;
1677 }
1678
1679 /* ignore until the first wrapper line */
1680 if (ignore) continue;
1681
1682 *out = realloc(*out, outlen + len + 1);
1683 memcpy(*out + outlen, buf, len);
1684 outlen += len;
1685 }
1686
1687 (*out)[outlen] = '\0';
1688 fclose(fp);
1689
1690 return OK;
1691 }
1692
1693 /* check export cert data 'actual' against expected data 'expected */
check_exported_data(const char * actual,const char * expected)1694 static int check_exported_data(const char *actual, const char *expected)
1695 {
1696 ONN("could not export cert", actual == NULL);
1697
1698 ONN("export data contained newline",
1699 strchr(actual, '\r') || strchr(actual, '\n'));
1700
1701 ONV(strcmp(actual, expected), ("exported cert differed from expected:\n"
1702 "actual: %s\nexpected: %s",
1703 actual, expected));
1704 return OK;
1705 }
1706
1707 /* Test import and export of certificates. The export format is PEM
1708 * without the line feeds and wrapping; compare against . */
import_export(void)1709 static int import_export(void)
1710 {
1711 char *expected, *actual;
1712 ne_ssl_certificate *cert, *imp;
1713
1714 CALL(flatten_pem("server.cert", &expected));
1715
1716 cert = ne_ssl_cert_read("server.cert");
1717 ONN("could not load server.cert", cert == NULL);
1718
1719 /* export the cert to and compare it with the PEM file */
1720 actual = ne_ssl_cert_export(cert);
1721 CALL(check_exported_data(actual, expected));
1722
1723 /* import the exported cert data, check it looks the same */
1724 imp = ne_ssl_cert_import(actual);
1725 ONN("failed to import exported cert", imp == NULL);
1726 ONN("imported cert was different to original",
1727 ne_ssl_cert_cmp(imp, cert));
1728
1729 /* re-export the imported cert and check that looks the same */
1730 ne_free(actual);
1731 actual = ne_ssl_cert_export(imp);
1732 CALL(check_exported_data(actual, expected));
1733 ne_ssl_cert_free(imp);
1734
1735 /* try importing from bogus data */
1736 imp = ne_ssl_cert_import("!!");
1737 ONN("imported bogus cert from bogus base64", imp != NULL);
1738 imp = ne_ssl_cert_import("aaaa");
1739 ONN("imported bogus cert from valid base64", imp != NULL);
1740
1741 ne_ssl_cert_free(cert);
1742 ne_free(actual);
1743 ne_free(expected);
1744 return OK;
1745 }
1746
1747 /* Test write/read */
read_write(void)1748 static int read_write(void)
1749 {
1750 ne_ssl_certificate *c1, *c2;
1751
1752 c1 = ne_ssl_cert_read("server.cert");
1753 ONN("could not load server.cert", c1 == NULL);
1754
1755 ONN("could not write output.pem", ne_ssl_cert_write(c1, "output.pem"));
1756
1757 ONN("wrote to nonexistent directory",
1758 ne_ssl_cert_write(c1, "nonesuch/output.pem") == 0);
1759
1760 c2 = ne_ssl_cert_read("output.pem");
1761 ONN("could not read output.pem", c2 == NULL);
1762
1763 ONN("read of output.pem differs from original",
1764 ne_ssl_cert_cmp(c2, c1));
1765
1766 ne_ssl_cert_free(c1);
1767 ne_ssl_cert_free(c2);
1768
1769 return OK;
1770 }
1771
1772 /* A verification callback which caches the passed cert. */
verify_cache(void * userdata,int fs,const ne_ssl_certificate * cert)1773 static int verify_cache(void *userdata, int fs,
1774 const ne_ssl_certificate *cert)
1775 {
1776 char **cache = userdata;
1777
1778 if (*cache == NULL) {
1779 *cache = ne_ssl_cert_export(cert);
1780 return 0;
1781 } else {
1782 return -1;
1783 }
1784 }
1785
1786 /* Test a common use of the SSL API; cache the server cert across
1787 * sessions. */
cache_cert(void)1788 static int cache_cert(void)
1789 {
1790 ne_session *sess = DEFSESS;
1791 char *cache = NULL;
1792 ne_ssl_certificate *cert;
1793 struct ssl_server_args args = {0};
1794
1795 args.cert = "ssigned.pem";
1796 args.cache = 1;
1797
1798 ONREQ(any_ssl_request(sess, ssl_server, &args, CA_CERT,
1799 verify_cache, &cache));
1800 ne_session_destroy(sess);
1801
1802 ONN("no cert was cached", cache == NULL);
1803
1804 /* make a real cert */
1805 cert = ne_ssl_cert_import(cache);
1806 ONN("could not import cached cert", cert == NULL);
1807 ne_free(cache);
1808
1809 /* create a new session */
1810 sess = DEFSESS;
1811 /* trust the cert */
1812 ne_ssl_trust_cert(sess, cert);
1813 ne_ssl_cert_free(cert);
1814 /* now, the request should succeed without manual verification */
1815 ONREQ(any_ssl_request(sess, ssl_server, &args, CA_CERT,
1816 NULL, NULL));
1817 ne_session_destroy(sess);
1818 return OK;
1819 }
1820
nonssl_trust(void)1821 static int nonssl_trust(void)
1822 {
1823 ne_session *sess = ne_session_create("http", "www.example.com", 80);
1824
1825 ne_ssl_trust_cert(sess, def_ca_cert);
1826
1827 ne_session_destroy(sess);
1828
1829 return OK;
1830 }
1831
1832 /* PIN password provider callback. */
pkcs11_pin(void * userdata,int attempt,const char * slot_descr,const char * token_label,unsigned int flags,char * pin)1833 static int pkcs11_pin(void *userdata, int attempt,
1834 const char *slot_descr, const char *token_label,
1835 unsigned int flags, char *pin)
1836 {
1837 char *sekrit = userdata;
1838
1839 NE_DEBUG(NE_DBG_SSL, "pkcs11: slot = [%s], token = [%s]\n",
1840 slot_descr, token_label);
1841
1842 if (attempt == 0) {
1843 strcpy(pin, sekrit);
1844 return 0;
1845 }
1846 else {
1847 return -1;
1848 }
1849 }
1850
nss_pkcs11_test(const char * dbname)1851 static int nss_pkcs11_test(const char *dbname)
1852 {
1853 ne_session *sess = DEFSESS;
1854 struct ssl_server_args args = {SERVER_CERT, NULL};
1855 ne_ssl_pkcs11_provider *prov;
1856 int ret;
1857
1858 args.require_cc = 1;
1859
1860 if (access(dbname, R_OK|X_OK)) {
1861 t_warning("NSS required for PKCS#11 testing");
1862 return SKIP;
1863 }
1864
1865 ret = ne_ssl_pkcs11_nss_provider_init(&prov, "softokn3", dbname, NULL,
1866 NULL, NULL);
1867 if (ret) {
1868 if (ret == NE_PK11_NOTIMPL)
1869 t_context("pakchois library required for PKCS#11 support");
1870 else
1871 t_context("could not load NSS softokn3 PKCS#11 provider");
1872 return SKIP;
1873 }
1874
1875 ne_ssl_pkcs11_provider_pin(prov, pkcs11_pin, "foobar");
1876 ne_ssl_set_pkcs11_provider(sess, prov);
1877
1878 ret = any_ssl_request(sess, ssl_server, &args, CA_CERT, NULL, NULL);
1879
1880 ne_session_destroy(sess);
1881 ne_ssl_pkcs11_provider_destroy(prov);
1882
1883 return ret;
1884 }
1885
pkcs11(void)1886 static int pkcs11(void)
1887 {
1888 return nss_pkcs11_test("nssdb");
1889 }
1890
pkcs11_dsa(void)1891 static int pkcs11_dsa(void)
1892 {
1893 return nss_pkcs11_test("nssdb-dsa");
1894 }
1895
1896 /* TODO: code paths still to test in cert verification:
1897 * - server cert changes between connections: Mozilla gives
1898 * a "bad MAC decode" error for this; can do better?
1899 * - server presents no certificate (using ADH ciphers)... can
1900 * only really happen if they mess with the SSL_CTX and enable
1901 * ADH cipher manually; but good to check the failure case is
1902 * safe.
1903 * - SSL cert changes between connections; handle as normal & re-verify
1904 * From the SSL book:
1905 * - an early FIN should be returned as a possible truncation attack,
1906 * NOT just an NE_SOCK_CLOSED.
1907 * - unexpected close_notify is an error but not an attack.
1908 * - never attempt session resumption after any aborted connection.
1909 */
1910
1911 ne_test tests[] = {
1912 T_LEAKY(init),
1913
1914 T(load_server_certs),
1915 T(trust_default_ca),
1916
1917 T(cert_fingerprint),
1918 T(cert_hdigests),
1919 T(cert_identities),
1920 T(cert_validity),
1921 T(cert_compare),
1922 T(dname_compare),
1923 T(dname_readable),
1924 T(import_export),
1925 T(read_write),
1926
1927 T(load_client_cert),
1928 T(clicert_import),
1929
1930 T(simple),
1931 #if 0
1932 T(simple_sslv2),
1933 #endif
1934 T(simple_eof),
1935 T(empty_truncated_eof),
1936 T(fail_not_ssl),
1937 T(cache_cert),
1938 T(intermediary),
1939
1940 T(client_cert_pkcs12),
1941 T(ccert_unencrypted),
1942 T(client_cert_provided),
1943 T(cc_provided_dnames),
1944 T(no_client_cert),
1945 T(client_cert_ca),
1946
1947 T(parse_cert),
1948 T(parse_chain),
1949
1950 T(no_verify),
1951 T(cache_verify),
1952 T(wildcard_match),
1953 T(wildcard_match_altname),
1954 T(caseless_match),
1955
1956 T(subject_altname),
1957 T(two_subject_altname),
1958 T(two_subject_altname2),
1959 T(notdns_altname),
1960 T(ipaddr_altname),
1961 T(uri_altname),
1962
1963 T(multi_commonName),
1964 T(commonName_first),
1965
1966 T(fail_wrongCN),
1967 T(fail_expired),
1968 T(fail_notvalid),
1969 T(fail_untrusted_ca),
1970 T(fail_self_signed),
1971 T(fail_missing_CN),
1972 T(fail_host_ipaltname),
1973 T(fail_bad_ipaltname),
1974 T(fail_bad_urialtname),
1975 T(fail_wildcard),
1976 T(fail_wildcard_ip),
1977 T(fail_ca_notyetvalid),
1978 T(fail_ca_expired),
1979
1980 T(nulcn_identity),
1981 #if 0
1982 /* These certs were created with a SHA#1 digest so are rejected by
1983 * modern TLS libraries. */
1984 T(fail_nul_cn),
1985 T(fail_nul_san),
1986 #endif
1987
1988 #if 0
1989 T(session_cache),
1990 #endif
1991
1992 T(fail_tunnel),
1993 T(proxy_tunnel),
1994 T(auth_proxy_tunnel),
1995 T(auth_tunnel_creds),
1996 T(auth_tunnel_fail),
1997
1998 T(nonssl_trust),
1999
2000 T(pkcs11),
2001 T_XFAIL(pkcs11_dsa), /* unclear why this fails currently. */
2002
2003 T(NULL)
2004 };
2005