commit: r1655 - in neon/trunk: src test
joe at manyfish.co.uk
joe at manyfish.co.uk
Fri May 29 10:18:04 EDT 2009
Author: joe
Date: Fri May 29 07:18:03 2009
New Revision: 1655
Modified:
neon/trunk/src/ne_session.c
neon/trunk/test/ssl.c
Log:
* src/ne_session.c (ne__ssl_set_verify_err): Add error strings for
NE_SSL_BADCHAIN, NE_SSL_REVOKED.
* test/ssl.c (fail_ssl_request_with_error): Renamed from
fail_ssl_request; take error string and test for it.
(fail_ssl_request): Reimplment as wrapper for above.
(fail_expired, fail_wrongCN, fail_untrusted_ca,
fail_ca_expired): Use _with_error to test error strings.
Modified: neon/trunk/src/ne_session.c
==============================================================================
--- neon/trunk/src/ne_session.c (original)
+++ neon/trunk/src/ne_session.c Fri May 29 07:18:03 2009
@@ -1,6 +1,6 @@
/*
HTTP session handling
- Copyright (C) 1999-2008, Joe Orton <joe at manyfish.co.uk>
+ Copyright (C) 1999-2009, Joe Orton <joe at manyfish.co.uk>
Portions are:
Copyright (C) 1999-2000 Tommi Komulainen <Tommi.Komulainen at iki.fi>
@@ -540,6 +540,8 @@
{ NE_SSL_EXPIRED, N_("certificate has expired") },
{ NE_SSL_IDMISMATCH, N_("certificate issued for a different hostname") },
{ NE_SSL_UNTRUSTED, N_("issuer is not trusted") },
+ { NE_SSL_BADCHAIN, N_("bad certificate chain") },
+ { NE_SSL_REVOKED, N_("certificate has been revoked") },
{ 0, NULL }
};
int n, flag = 0;
Modified: neon/trunk/test/ssl.c
==============================================================================
--- neon/trunk/test/ssl.c (original)
+++ neon/trunk/test/ssl.c Fri May 29 07:18:03 2009
@@ -1,6 +1,6 @@
/*
neon test suite
- Copyright (C) 2002-2008, Joe Orton <joe at manyfish.co.uk>
+ Copyright (C) 2002-2009, Joe Orton <joe at manyfish.co.uk>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -746,8 +746,9 @@
/* Helper function: run a request using the given self-signed server
* certificate, and expect the request to fail with the given
* verification failure flags. */
-static int fail_ssl_request(char *cert, char *cacert, const char *host,
- const char *msg, int failures)
+static int fail_ssl_request_with_error(char *cert, char *cacert, const char *host,
+ const char *msg, int failures,
+ const char *errstr)
{
ne_session *sess = ne_session_create("https", host, 7777);
int gotf = 0, ret;
@@ -769,11 +770,25 @@
/* and check that the request was failed too. */
ONV(ret == NE_OK, ("%s", msg));
+ ONV(errstr && strstr(ne_get_error(sess), errstr) == NULL,
+ ("unexpected failure message '%s', wanted '%s'",
+ ne_get_error(sess), errstr));
+
ne_session_destroy(sess);
return OK;
}
+/* Helper function: run a request using the given self-signed server
+ * certificate, and expect the request to fail with the given
+ * verification failure flags. */
+static int fail_ssl_request(char *cert, char *cacert, const char *host,
+ const char *msg, int failures)
+{
+ return fail_ssl_request_with_error(cert, cacert, host, msg, failures,
+ NULL);
+}
+
/* Note that the certs used for fail_* are mostly self-signed, so the
* cert is passed as CA cert and server cert to fail_ssl_request. */
@@ -781,17 +796,21 @@
* flagged as such. */
static int fail_wrongCN(void)
{
- return fail_ssl_request("wrongcn.cert", "ca/cert.pem", "localhost",
- "certificate with incorrect CN was accepted",
- NE_SSL_IDMISMATCH);
+ return fail_ssl_request_with_error("wrongcn.cert", "ca/cert.pem", "localhost",
+ "certificate with incorrect CN was accepted",
+ NE_SSL_IDMISMATCH,
+ "certificate issued for a different hostname");
+
}
/* Check that an expired certificate is flagged as such. */
static int fail_expired(void)
{
char *c = ne_concat(srcdir, "/expired.pem", NULL);
- CALL(fail_ssl_request(c, c, "localhost",
- "expired certificate was accepted", NE_SSL_EXPIRED));
+ CALL(fail_ssl_request_with_error(c, c, "localhost",
+ "expired certificate was accepted",
+ NE_SSL_EXPIRED,
+ "certificate has expired"));
ne_free(c);
return OK;
}
@@ -799,9 +818,10 @@
static int fail_notvalid(void)
{
char *c = ne_concat(srcdir, "/notvalid.pem", NULL);
- CALL(fail_ssl_request(c, c, "localhost",
- "not yet valid certificate was accepted",
- NE_SSL_NOTYETVALID));
+ CALL(fail_ssl_request_with_error(c, c, "localhost",
+ "not yet valid certificate was accepted",
+ NE_SSL_NOTYETVALID,
+ "certificate is not yet valid"));
ne_free(c);
return OK;
}
@@ -810,8 +830,9 @@
* fail with UNTRUSTED. */
static int fail_untrusted_ca(void)
{
- return fail_ssl_request("server.cert", NULL, "localhost",
- "untrusted CA.", NE_SSL_UNTRUSTED);
+ return fail_ssl_request_with_error("server.cert", NULL, "localhost",
+ "untrusted CA.", NE_SSL_UNTRUSTED,
+ "issuer is not trusted");
}
static int fail_self_signed(void)
@@ -866,8 +887,10 @@
static int fail_ca_expired(void)
{
- return fail_ssl_request("ca1server.cert", "ca1/cert.pem", "localhost",
- "issuer ca expired", NE_SSL_BADCHAIN);
+ return fail_ssl_request_with_error("ca1server.cert", "ca1/cert.pem",
+ "localhost", "issuer ca expired",
+ NE_SSL_BADCHAIN,
+ "bad certificate chain");
}
static int fail_ca_notyetvalid(void)
More information about the neon-commits
mailing list