12c593315Sopenharmony_ci/*
22c593315Sopenharmony_ci * nghttp2 - HTTP/2 C Library
32c593315Sopenharmony_ci *
42c593315Sopenharmony_ci * Copyright (c) 2013 Tatsuhiro Tsujikawa
52c593315Sopenharmony_ci *
62c593315Sopenharmony_ci * Permission is hereby granted, free of charge, to any person obtaining
72c593315Sopenharmony_ci * a copy of this software and associated documentation files (the
82c593315Sopenharmony_ci * "Software"), to deal in the Software without restriction, including
92c593315Sopenharmony_ci * without limitation the rights to use, copy, modify, merge, publish,
102c593315Sopenharmony_ci * distribute, sublicense, and/or sell copies of the Software, and to
112c593315Sopenharmony_ci * permit persons to whom the Software is furnished to do so, subject to
122c593315Sopenharmony_ci * the following conditions:
132c593315Sopenharmony_ci *
142c593315Sopenharmony_ci * The above copyright notice and this permission notice shall be
152c593315Sopenharmony_ci * included in all copies or substantial portions of the Software.
162c593315Sopenharmony_ci *
172c593315Sopenharmony_ci * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
182c593315Sopenharmony_ci * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
192c593315Sopenharmony_ci * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
202c593315Sopenharmony_ci * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
212c593315Sopenharmony_ci * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
222c593315Sopenharmony_ci * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
232c593315Sopenharmony_ci * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
242c593315Sopenharmony_ci */
252c593315Sopenharmony_ci#include "shrpx_tls_test.h"
262c593315Sopenharmony_ci
272c593315Sopenharmony_ci#include <CUnit/CUnit.h>
282c593315Sopenharmony_ci
292c593315Sopenharmony_ci#include "shrpx_tls.h"
302c593315Sopenharmony_ci#include "shrpx_log.h"
312c593315Sopenharmony_ci#include "util.h"
322c593315Sopenharmony_ci#include "template.h"
332c593315Sopenharmony_ci
342c593315Sopenharmony_ciusing namespace nghttp2;
352c593315Sopenharmony_ci
362c593315Sopenharmony_cinamespace shrpx {
372c593315Sopenharmony_ci
382c593315Sopenharmony_civoid test_shrpx_tls_create_lookup_tree(void) {
392c593315Sopenharmony_ci  auto tree = std::make_unique<tls::CertLookupTree>();
402c593315Sopenharmony_ci
412c593315Sopenharmony_ci  constexpr StringRef hostnames[] = {
422c593315Sopenharmony_ci      StringRef::from_lit("example.com"),             // 0
432c593315Sopenharmony_ci      StringRef::from_lit("www.example.org"),         // 1
442c593315Sopenharmony_ci      StringRef::from_lit("*www.example.org"),        // 2
452c593315Sopenharmony_ci      StringRef::from_lit("xy*.host.domain"),         // 3
462c593315Sopenharmony_ci      StringRef::from_lit("*yy.host.domain"),         // 4
472c593315Sopenharmony_ci      StringRef::from_lit("nghttp2.sourceforge.net"), // 5
482c593315Sopenharmony_ci      StringRef::from_lit("sourceforge.net"),         // 6
492c593315Sopenharmony_ci      StringRef::from_lit("sourceforge.net"),         // 7, duplicate
502c593315Sopenharmony_ci      StringRef::from_lit("*.foo.bar"), // 8, oo.bar is suffix of *.foo.bar
512c593315Sopenharmony_ci      StringRef::from_lit("oo.bar")     // 9
522c593315Sopenharmony_ci  };
532c593315Sopenharmony_ci  auto num = array_size(hostnames);
542c593315Sopenharmony_ci
552c593315Sopenharmony_ci  for (size_t idx = 0; idx < num; ++idx) {
562c593315Sopenharmony_ci    tree->add_cert(hostnames[idx], idx);
572c593315Sopenharmony_ci  }
582c593315Sopenharmony_ci
592c593315Sopenharmony_ci  tree->dump();
602c593315Sopenharmony_ci
612c593315Sopenharmony_ci  CU_ASSERT(0 == tree->lookup(hostnames[0]));
622c593315Sopenharmony_ci  CU_ASSERT(1 == tree->lookup(hostnames[1]));
632c593315Sopenharmony_ci  CU_ASSERT(2 == tree->lookup(StringRef::from_lit("2www.example.org")));
642c593315Sopenharmony_ci  CU_ASSERT(-1 == tree->lookup(StringRef::from_lit("www2.example.org")));
652c593315Sopenharmony_ci  CU_ASSERT(3 == tree->lookup(StringRef::from_lit("xy1.host.domain")));
662c593315Sopenharmony_ci  // Does not match *yy.host.domain, because * must match at least 1
672c593315Sopenharmony_ci  // character.
682c593315Sopenharmony_ci  CU_ASSERT(-1 == tree->lookup(StringRef::from_lit("yy.host.domain")));
692c593315Sopenharmony_ci  CU_ASSERT(4 == tree->lookup(StringRef::from_lit("xyy.host.domain")));
702c593315Sopenharmony_ci  CU_ASSERT(-1 == tree->lookup(StringRef{}));
712c593315Sopenharmony_ci  CU_ASSERT(5 == tree->lookup(hostnames[5]));
722c593315Sopenharmony_ci  CU_ASSERT(6 == tree->lookup(hostnames[6]));
732c593315Sopenharmony_ci  static constexpr char h6[] = "pdylay.sourceforge.net";
742c593315Sopenharmony_ci  for (int i = 0; i < 7; ++i) {
752c593315Sopenharmony_ci    CU_ASSERT(-1 == tree->lookup(StringRef{h6 + i, str_size(h6) - i}));
762c593315Sopenharmony_ci  }
772c593315Sopenharmony_ci  CU_ASSERT(8 == tree->lookup(StringRef::from_lit("x.foo.bar")));
782c593315Sopenharmony_ci  CU_ASSERT(9 == tree->lookup(hostnames[9]));
792c593315Sopenharmony_ci
802c593315Sopenharmony_ci  constexpr StringRef names[] = {
812c593315Sopenharmony_ci      StringRef::from_lit("rab"),  // 1
822c593315Sopenharmony_ci      StringRef::from_lit("zab"),  // 2
832c593315Sopenharmony_ci      StringRef::from_lit("zzub"), // 3
842c593315Sopenharmony_ci      StringRef::from_lit("ab")    // 4
852c593315Sopenharmony_ci  };
862c593315Sopenharmony_ci  num = array_size(names);
872c593315Sopenharmony_ci
882c593315Sopenharmony_ci  tree = std::make_unique<tls::CertLookupTree>();
892c593315Sopenharmony_ci  for (size_t idx = 0; idx < num; ++idx) {
902c593315Sopenharmony_ci    tree->add_cert(names[idx], idx);
912c593315Sopenharmony_ci  }
922c593315Sopenharmony_ci  for (size_t i = 0; i < num; ++i) {
932c593315Sopenharmony_ci    CU_ASSERT((ssize_t)i == tree->lookup(names[i]));
942c593315Sopenharmony_ci  }
952c593315Sopenharmony_ci}
962c593315Sopenharmony_ci
972c593315Sopenharmony_ci// We use cfssl to generate key pairs.
982c593315Sopenharmony_ci//
992c593315Sopenharmony_ci// CA self-signed key pairs generation:
1002c593315Sopenharmony_ci//
1012c593315Sopenharmony_ci//   $ cfssl genkey -initca ca.nghttp2.org.csr.json |
1022c593315Sopenharmony_ci//     cfssljson -bare ca.nghttp2.org
1032c593315Sopenharmony_ci//
1042c593315Sopenharmony_ci// Create CSR:
1052c593315Sopenharmony_ci//
1062c593315Sopenharmony_ci//   $ cfssl genkey test.nghttp2.org.csr.json | cfssljson -bare test.nghttp2.org
1072c593315Sopenharmony_ci//   $ cfssl genkey test.example.com.csr.json | cfssljson -bare test.example.com
1082c593315Sopenharmony_ci//
1092c593315Sopenharmony_ci// Sign CSR:
1102c593315Sopenharmony_ci//
1112c593315Sopenharmony_ci//   $ cfssl sign -ca ca.nghttp2.org.pem -ca-key ca.nghttp2.org-key.pem
1122c593315Sopenharmony_ci//     -config=ca-config.json -profile=server test.nghttp2.org.csr |
1132c593315Sopenharmony_ci//     cfssljson -bare test.nghttp2.org
1142c593315Sopenharmony_ci//
1152c593315Sopenharmony_ci//   $ cfssl sign -ca ca.nghttp2.org.pem -ca-key ca.nghttp2.org-key.pem
1162c593315Sopenharmony_ci//     -config=ca-config.json -profile=server test.example.com.csr |
1172c593315Sopenharmony_ci//     cfssljson -bare test.example.com
1182c593315Sopenharmony_ci//
1192c593315Sopenharmony_civoid test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void) {
1202c593315Sopenharmony_ci  int rv;
1212c593315Sopenharmony_ci
1222c593315Sopenharmony_ci  static constexpr char nghttp2_certfile[] =
1232c593315Sopenharmony_ci      NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
1242c593315Sopenharmony_ci  auto nghttp2_ssl_ctx = SSL_CTX_new(TLS_server_method());
1252c593315Sopenharmony_ci  auto nghttp2_ssl_ctx_del = defer(SSL_CTX_free, nghttp2_ssl_ctx);
1262c593315Sopenharmony_ci  auto nghttp2_tls_ctx_data = std::make_unique<tls::TLSContextData>();
1272c593315Sopenharmony_ci  nghttp2_tls_ctx_data->cert_file = nghttp2_certfile;
1282c593315Sopenharmony_ci  SSL_CTX_set_app_data(nghttp2_ssl_ctx, nghttp2_tls_ctx_data.get());
1292c593315Sopenharmony_ci  rv = SSL_CTX_use_certificate_chain_file(nghttp2_ssl_ctx, nghttp2_certfile);
1302c593315Sopenharmony_ci
1312c593315Sopenharmony_ci  CU_ASSERT(1 == rv);
1322c593315Sopenharmony_ci
1332c593315Sopenharmony_ci  static constexpr char examples_certfile[] =
1342c593315Sopenharmony_ci      NGHTTP2_SRC_DIR "/test.example.com.pem";
1352c593315Sopenharmony_ci  auto examples_ssl_ctx = SSL_CTX_new(TLS_server_method());
1362c593315Sopenharmony_ci  auto examples_ssl_ctx_del = defer(SSL_CTX_free, examples_ssl_ctx);
1372c593315Sopenharmony_ci  auto examples_tls_ctx_data = std::make_unique<tls::TLSContextData>();
1382c593315Sopenharmony_ci  examples_tls_ctx_data->cert_file = examples_certfile;
1392c593315Sopenharmony_ci  SSL_CTX_set_app_data(examples_ssl_ctx, examples_tls_ctx_data.get());
1402c593315Sopenharmony_ci  rv = SSL_CTX_use_certificate_chain_file(examples_ssl_ctx, examples_certfile);
1412c593315Sopenharmony_ci
1422c593315Sopenharmony_ci  CU_ASSERT(1 == rv);
1432c593315Sopenharmony_ci
1442c593315Sopenharmony_ci  tls::CertLookupTree tree;
1452c593315Sopenharmony_ci  std::vector<std::vector<SSL_CTX *>> indexed_ssl_ctx;
1462c593315Sopenharmony_ci
1472c593315Sopenharmony_ci  rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
1482c593315Sopenharmony_ci                                         nghttp2_ssl_ctx);
1492c593315Sopenharmony_ci
1502c593315Sopenharmony_ci  CU_ASSERT(0 == rv);
1512c593315Sopenharmony_ci
1522c593315Sopenharmony_ci  rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
1532c593315Sopenharmony_ci                                         examples_ssl_ctx);
1542c593315Sopenharmony_ci
1552c593315Sopenharmony_ci  CU_ASSERT(0 == rv);
1562c593315Sopenharmony_ci
1572c593315Sopenharmony_ci  CU_ASSERT(-1 == tree.lookup(StringRef::from_lit("not-used.nghttp2.org")));
1582c593315Sopenharmony_ci  CU_ASSERT(0 == tree.lookup(StringRef::from_lit("test.nghttp2.org")));
1592c593315Sopenharmony_ci  CU_ASSERT(1 == tree.lookup(StringRef::from_lit("w.test.nghttp2.org")));
1602c593315Sopenharmony_ci  CU_ASSERT(2 == tree.lookup(StringRef::from_lit("www.test.nghttp2.org")));
1612c593315Sopenharmony_ci  CU_ASSERT(3 == tree.lookup(StringRef::from_lit("test.example.com")));
1622c593315Sopenharmony_ci}
1632c593315Sopenharmony_ci
1642c593315Sopenharmony_citemplate <size_t N, size_t M>
1652c593315Sopenharmony_cibool tls_hostname_match_wrapper(const char (&pattern)[N],
1662c593315Sopenharmony_ci                                const char (&hostname)[M]) {
1672c593315Sopenharmony_ci  return tls::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M});
1682c593315Sopenharmony_ci}
1692c593315Sopenharmony_ci
1702c593315Sopenharmony_civoid test_shrpx_tls_tls_hostname_match(void) {
1712c593315Sopenharmony_ci  CU_ASSERT(tls_hostname_match_wrapper("example.com", "example.com"));
1722c593315Sopenharmony_ci  CU_ASSERT(tls_hostname_match_wrapper("example.com", "EXAMPLE.com"));
1732c593315Sopenharmony_ci
1742c593315Sopenharmony_ci  // check wildcard
1752c593315Sopenharmony_ci  CU_ASSERT(tls_hostname_match_wrapper("*.example.com", "www.example.com"));
1762c593315Sopenharmony_ci  CU_ASSERT(tls_hostname_match_wrapper("*w.example.com", "www.example.com"));
1772c593315Sopenharmony_ci  CU_ASSERT(tls_hostname_match_wrapper("www*.example.com", "www1.example.com"));
1782c593315Sopenharmony_ci  CU_ASSERT(
1792c593315Sopenharmony_ci      tls_hostname_match_wrapper("www*.example.com", "WWW12.EXAMPLE.com"));
1802c593315Sopenharmony_ci  // at least 2 dots are required after '*'
1812c593315Sopenharmony_ci  CU_ASSERT(!tls_hostname_match_wrapper("*.com", "example.com"));
1822c593315Sopenharmony_ci  CU_ASSERT(!tls_hostname_match_wrapper("*", "example.com"));
1832c593315Sopenharmony_ci  // '*' must be in left most label
1842c593315Sopenharmony_ci  CU_ASSERT(
1852c593315Sopenharmony_ci      !tls_hostname_match_wrapper("blog.*.example.com", "blog.my.example.com"));
1862c593315Sopenharmony_ci  // prefix is wrong
1872c593315Sopenharmony_ci  CU_ASSERT(
1882c593315Sopenharmony_ci      !tls_hostname_match_wrapper("client*.example.com", "server.example.com"));
1892c593315Sopenharmony_ci  // '*' must match at least one character
1902c593315Sopenharmony_ci  CU_ASSERT(!tls_hostname_match_wrapper("www*.example.com", "www.example.com"));
1912c593315Sopenharmony_ci
1922c593315Sopenharmony_ci  CU_ASSERT(!tls_hostname_match_wrapper("example.com", "nghttp2.org"));
1932c593315Sopenharmony_ci  CU_ASSERT(!tls_hostname_match_wrapper("www.example.com", "example.com"));
1942c593315Sopenharmony_ci  CU_ASSERT(!tls_hostname_match_wrapper("example.com", "www.example.com"));
1952c593315Sopenharmony_ci}
1962c593315Sopenharmony_ci
1972c593315Sopenharmony_cistatic X509 *load_cert(const char *path) {
1982c593315Sopenharmony_ci  auto f = fopen(path, "r");
1992c593315Sopenharmony_ci  auto cert = PEM_read_X509(f, nullptr, nullptr, nullptr);
2002c593315Sopenharmony_ci
2012c593315Sopenharmony_ci  fclose(f);
2022c593315Sopenharmony_ci
2032c593315Sopenharmony_ci  return cert;
2042c593315Sopenharmony_ci}
2052c593315Sopenharmony_ci
2062c593315Sopenharmony_cistatic Address parse_addr(const char *ipaddr) {
2072c593315Sopenharmony_ci  addrinfo hints{};
2082c593315Sopenharmony_ci
2092c593315Sopenharmony_ci  hints.ai_family = AF_UNSPEC;
2102c593315Sopenharmony_ci  hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV;
2112c593315Sopenharmony_ci
2122c593315Sopenharmony_ci  addrinfo *res = nullptr;
2132c593315Sopenharmony_ci
2142c593315Sopenharmony_ci  auto rv = getaddrinfo(ipaddr, "443", &hints, &res);
2152c593315Sopenharmony_ci
2162c593315Sopenharmony_ci  CU_ASSERT(0 == rv);
2172c593315Sopenharmony_ci  CU_ASSERT(nullptr != res);
2182c593315Sopenharmony_ci
2192c593315Sopenharmony_ci  Address addr;
2202c593315Sopenharmony_ci  addr.len = res->ai_addrlen;
2212c593315Sopenharmony_ci  memcpy(&addr.su, res->ai_addr, res->ai_addrlen);
2222c593315Sopenharmony_ci
2232c593315Sopenharmony_ci  freeaddrinfo(res);
2242c593315Sopenharmony_ci
2252c593315Sopenharmony_ci  return addr;
2262c593315Sopenharmony_ci}
2272c593315Sopenharmony_ci
2282c593315Sopenharmony_civoid test_shrpx_tls_verify_numeric_hostname(void) {
2292c593315Sopenharmony_ci  {
2302c593315Sopenharmony_ci    // Successful IPv4 address match in SAN
2312c593315Sopenharmony_ci    static constexpr char ipaddr[] = "127.0.0.1";
2322c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
2332c593315Sopenharmony_ci    auto addr = parse_addr(ipaddr);
2342c593315Sopenharmony_ci    auto rv =
2352c593315Sopenharmony_ci        tls::verify_numeric_hostname(cert, StringRef::from_lit(ipaddr), &addr);
2362c593315Sopenharmony_ci
2372c593315Sopenharmony_ci    CU_ASSERT(0 == rv);
2382c593315Sopenharmony_ci
2392c593315Sopenharmony_ci    X509_free(cert);
2402c593315Sopenharmony_ci  }
2412c593315Sopenharmony_ci
2422c593315Sopenharmony_ci  {
2432c593315Sopenharmony_ci    // Successful IPv6 address match in SAN
2442c593315Sopenharmony_ci    static constexpr char ipaddr[] = "::1";
2452c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
2462c593315Sopenharmony_ci    auto addr = parse_addr(ipaddr);
2472c593315Sopenharmony_ci    auto rv =
2482c593315Sopenharmony_ci        tls::verify_numeric_hostname(cert, StringRef::from_lit(ipaddr), &addr);
2492c593315Sopenharmony_ci
2502c593315Sopenharmony_ci    CU_ASSERT(0 == rv);
2512c593315Sopenharmony_ci
2522c593315Sopenharmony_ci    X509_free(cert);
2532c593315Sopenharmony_ci  }
2542c593315Sopenharmony_ci
2552c593315Sopenharmony_ci  {
2562c593315Sopenharmony_ci    // Unsuccessful IPv4 address match in SAN
2572c593315Sopenharmony_ci    static constexpr char ipaddr[] = "192.168.0.127";
2582c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
2592c593315Sopenharmony_ci    auto addr = parse_addr(ipaddr);
2602c593315Sopenharmony_ci    auto rv =
2612c593315Sopenharmony_ci        tls::verify_numeric_hostname(cert, StringRef::from_lit(ipaddr), &addr);
2622c593315Sopenharmony_ci
2632c593315Sopenharmony_ci    CU_ASSERT(-1 == rv);
2642c593315Sopenharmony_ci
2652c593315Sopenharmony_ci    X509_free(cert);
2662c593315Sopenharmony_ci  }
2672c593315Sopenharmony_ci
2682c593315Sopenharmony_ci  {
2692c593315Sopenharmony_ci    // CommonName is not used if SAN is available
2702c593315Sopenharmony_ci    static constexpr char ipaddr[] = "192.168.0.1";
2712c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/ipaddr.crt");
2722c593315Sopenharmony_ci    auto addr = parse_addr(ipaddr);
2732c593315Sopenharmony_ci    auto rv =
2742c593315Sopenharmony_ci        tls::verify_numeric_hostname(cert, StringRef::from_lit(ipaddr), &addr);
2752c593315Sopenharmony_ci
2762c593315Sopenharmony_ci    CU_ASSERT(-1 == rv);
2772c593315Sopenharmony_ci
2782c593315Sopenharmony_ci    X509_free(cert);
2792c593315Sopenharmony_ci  }
2802c593315Sopenharmony_ci
2812c593315Sopenharmony_ci  {
2822c593315Sopenharmony_ci    // Successful IPv4 address match in CommonName
2832c593315Sopenharmony_ci    static constexpr char ipaddr[] = "127.0.0.1";
2842c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/nosan_ip.crt");
2852c593315Sopenharmony_ci    auto addr = parse_addr(ipaddr);
2862c593315Sopenharmony_ci    auto rv =
2872c593315Sopenharmony_ci        tls::verify_numeric_hostname(cert, StringRef::from_lit(ipaddr), &addr);
2882c593315Sopenharmony_ci
2892c593315Sopenharmony_ci    CU_ASSERT(0 == rv);
2902c593315Sopenharmony_ci
2912c593315Sopenharmony_ci    X509_free(cert);
2922c593315Sopenharmony_ci  }
2932c593315Sopenharmony_ci}
2942c593315Sopenharmony_ci
2952c593315Sopenharmony_civoid test_shrpx_tls_verify_dns_hostname(void) {
2962c593315Sopenharmony_ci  {
2972c593315Sopenharmony_ci    // Successful exact DNS name match in SAN
2982c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
2992c593315Sopenharmony_ci    auto rv = tls::verify_dns_hostname(
3002c593315Sopenharmony_ci        cert, StringRef::from_lit("nghttp2.example.com"));
3012c593315Sopenharmony_ci
3022c593315Sopenharmony_ci    CU_ASSERT(0 == rv);
3032c593315Sopenharmony_ci
3042c593315Sopenharmony_ci    X509_free(cert);
3052c593315Sopenharmony_ci  }
3062c593315Sopenharmony_ci
3072c593315Sopenharmony_ci  {
3082c593315Sopenharmony_ci    // Successful wildcard DNS name match in SAN
3092c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
3102c593315Sopenharmony_ci    auto rv = tls::verify_dns_hostname(
3112c593315Sopenharmony_ci        cert, StringRef::from_lit("www.nghttp2.example.com"));
3122c593315Sopenharmony_ci
3132c593315Sopenharmony_ci    CU_ASSERT(0 == rv);
3142c593315Sopenharmony_ci
3152c593315Sopenharmony_ci    X509_free(cert);
3162c593315Sopenharmony_ci  }
3172c593315Sopenharmony_ci
3182c593315Sopenharmony_ci  {
3192c593315Sopenharmony_ci    // CommonName is not used if SAN is available.
3202c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
3212c593315Sopenharmony_ci    auto rv = tls::verify_dns_hostname(cert, StringRef::from_lit("localhost"));
3222c593315Sopenharmony_ci
3232c593315Sopenharmony_ci    CU_ASSERT(-1 == rv);
3242c593315Sopenharmony_ci
3252c593315Sopenharmony_ci    X509_free(cert);
3262c593315Sopenharmony_ci  }
3272c593315Sopenharmony_ci
3282c593315Sopenharmony_ci  {
3292c593315Sopenharmony_ci    // Successful DNS name match in CommonName
3302c593315Sopenharmony_ci    auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/nosan.crt");
3312c593315Sopenharmony_ci    auto rv = tls::verify_dns_hostname(cert, StringRef::from_lit("localhost"));
3322c593315Sopenharmony_ci
3332c593315Sopenharmony_ci    CU_ASSERT(0 == rv);
3342c593315Sopenharmony_ci
3352c593315Sopenharmony_ci    X509_free(cert);
3362c593315Sopenharmony_ci  }
3372c593315Sopenharmony_ci}
3382c593315Sopenharmony_ci
3392c593315Sopenharmony_ci} // namespace shrpx
340