From ea1c81ce59df42e3bf0af59b90fbbcb8592ec0b8 Mon Sep 17 00:00:00 2001
From: Tomas Korbar <tkorbar@redhat.com>
Date: Mon, 6 Feb 2023 11:31:27 +0100
Subject: [PATCH] Fix testsuite

Resolves: rhbz#2166252
---
 libserf-1.3.9-testsuite.patch | 149 ++++++++++++++++++++++++++++++++++
 libserf.spec                  |  20 ++++-
 2 files changed, 166 insertions(+), 3 deletions(-)
 create mode 100644 libserf-1.3.9-testsuite.patch

diff --git a/libserf-1.3.9-testsuite.patch b/libserf-1.3.9-testsuite.patch
new file mode 100644
index 0000000..ef39c7b
--- /dev/null
+++ b/libserf-1.3.9-testsuite.patch
@@ -0,0 +1,149 @@
+commit ac95824beca21a6f8c7b51b6f7afebf01fbb1b4c
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Thu Feb 2 09:50:20 2023 +0100
+
+    Fix bio_apr_socket_ctrl in tests and fix test_ssl_handshake
+
+diff --git a/test/server/test_sslserver.c b/test/server/test_sslserver.c
+index 6c1a028..b9288e4 100644
+--- a/test/server/test_sslserver.c
++++ b/test/server/test_sslserver.c
+@@ -96,7 +96,7 @@ static int bio_apr_socket_destroy(BIO *bio)
+ 
+ static long bio_apr_socket_ctrl(BIO *bio, int cmd, long num, void *ptr)
+ {
+-    long ret = 1;
++    long ret = 0;
+ 
+     switch (cmd) {
+         default:
+@@ -104,6 +104,7 @@ static long bio_apr_socket_ctrl(BIO *bio, int cmd, long num, void *ptr)
+             break;
+         case BIO_CTRL_FLUSH:
+             /* At this point we can't force a flush. */
++            ret = 1;
+             break;
+         case BIO_CTRL_PUSH:
+         case BIO_CTRL_POP:
+diff --git a/test/test_context.c b/test/test_context.c
+index 74e53b4..5e2bddf 100644
+--- a/test/test_context.c
++++ b/test/test_context.c
+@@ -1164,6 +1164,37 @@ ssl_server_cert_cb_reject(void *baton, int failures,
+     return SERF_ERROR_ISSUE_IN_TESTSUITE;
+ }
+ 
++/* Set up the ssl context with the CA and root CA certificates needed for
++   successful valiation of the server certificate. */
++static apr_status_t
++https_set_root_ca_conn_setup(apr_socket_t *skt,
++                             serf_bucket_t **input_bkt,
++                             serf_bucket_t **output_bkt,
++                             void *setup_baton,
++                             apr_pool_t *pool)
++{
++    serf_ssl_certificate_t *rootcacert;
++    test_baton_t *tb = setup_baton;
++    apr_status_t status;
++
++    status = default_https_conn_setup(skt, input_bkt, output_bkt,
++                                      setup_baton, pool);
++    if (status)
++        return status;
++
++    status = serf_ssl_load_cert_file(&rootcacert,
++                                     get_srcdir_file(pool,
++                                               "test/server/serfrootcacert.pem"),
++                                     pool);
++    if (status)
++        return status;
++    status = serf_ssl_trust_cert(tb->ssl_context, rootcacert);
++    if (status)
++        return status;
++
++    return status;
++}
++
+ /* Validate that we can connect successfully to an https server. This
+    certificate is not trusted, so a cert validation failure is expected. */
+ static void test_ssl_handshake(CuTest *tc)
+@@ -1171,7 +1202,6 @@ static void test_ssl_handshake(CuTest *tc)
+     test_baton_t *tb;
+     handler_baton_t handler_ctx[1];
+     const int num_requests = sizeof(handler_ctx)/sizeof(handler_ctx[0]);
+-    int expected_failures;
+     apr_status_t status;
+     test_server_message_t message_list[] = {
+         {CHUNKED_REQUEST(1, "1")},
+@@ -1180,9 +1210,6 @@ static void test_ssl_handshake(CuTest *tc)
+     test_server_action_t action_list[] = {
+         {SERVER_RESPOND, CHUNKED_EMPTY_RESPONSE},
+     };
+-    static const char *server_cert[] = { "test/server/serfservercert.pem",
+-        NULL };
+-
+ 
+     /* Set up a test context with a server */
+     apr_pool_t *test_pool = tc->testBaton;
+@@ -1190,57 +1217,20 @@ static void test_ssl_handshake(CuTest *tc)
+     status = test_https_server_setup(&tb,
+                                      message_list, num_requests,
+                                      action_list, num_requests, 0,
+-                                     NULL, /* default conn setup */
++                                     https_set_root_ca_conn_setup,
+                                      get_srcdir_file(test_pool, "test/server/serfserverkey.pem"),
+-                                     server_certs_srcdir(server_cert, test_pool),
++                                     server_certs_srcdir(server_certs, test_pool),
+                                      NULL, /* no client cert */
+-                                     ssl_server_cert_cb_expect_failures,
++                                     ssl_server_cert_cb_expect_allok,
+                                      test_pool);
+     CuAssertIntEquals(tc, APR_SUCCESS, status);
+ 
+-    /* This unknown failures is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, 
+-       meaning the chain has only the server cert. A good candidate for its
+-       own failure code. */
+-    expected_failures = SERF_SSL_CERT_UNKNOWNCA;
+-    tb->user_baton = &expected_failures;
+-
+     create_new_request(tb, &handler_ctx[0], "GET", "/", 1);
+ 
+     test_helper_run_requests_expect_ok(tc, tb, num_requests, handler_ctx,
+                                        test_pool);
+ }
+ 
+-/* Set up the ssl context with the CA and root CA certificates needed for
+-   successful valiation of the server certificate. */
+-static apr_status_t
+-https_set_root_ca_conn_setup(apr_socket_t *skt,
+-                             serf_bucket_t **input_bkt,
+-                             serf_bucket_t **output_bkt,
+-                             void *setup_baton,
+-                             apr_pool_t *pool)
+-{
+-    serf_ssl_certificate_t *rootcacert;
+-    test_baton_t *tb = setup_baton;
+-    apr_status_t status;
+-
+-    status = default_https_conn_setup(skt, input_bkt, output_bkt,
+-                                      setup_baton, pool);
+-    if (status)
+-        return status;
+-
+-    status = serf_ssl_load_cert_file(&rootcacert,
+-                                     get_srcdir_file(pool,
+-                                               "test/server/serfrootcacert.pem"),
+-                                     pool);
+-    if (status)
+-        return status;
+-    status = serf_ssl_trust_cert(tb->ssl_context, rootcacert);
+-    if (status)
+-        return status;
+-
+-    return status;
+-}
+-
+ /* Validate that server certificate validation is ok when we
+    explicitly trust our self-signed root ca. */
+ static void test_ssl_trust_rootca(CuTest *tc)
+
diff --git a/libserf.spec b/libserf.spec
index 64504ab..f4159f6 100644
--- a/libserf.spec
+++ b/libserf.spec
@@ -1,19 +1,20 @@
 Name:           libserf
 Version:        1.3.9
-Release:        26%{?dist}
+Release:        27%{?dist}
 Summary:        High-Performance Asynchronous HTTP Client Library
 License:        ASL 2.0
 URL:            http://serf.apache.org/
 Source0:        https://archive.apache.org/dist/serf/serf-%{version}.tar.bz2
 BuildRequires:  gcc, pkgconfig
 BuildRequires:  apr-devel, apr-util-devel, krb5-devel, openssl-devel
-BuildRequires:  zlib-devel, cmake
+BuildRequires:  zlib-devel, cmake, libfaketime, openssl
 Patch0:         %{name}-norpath.patch
 Patch1:         %{name}-python3.patch
 Patch2:		%{name}-1.3.9-bio-ctrl.patch
 Patch3:         %{name}-1.3.9-errgetfunc.patch
 Patch4:		%{name}-1.3.9-multihome.patch
 Patch5:		%{name}-1.3.9-cmake.patch
+Patch6:		%{name}-1.3.9-testsuite.patch
 
 %description
 The serf library is a C-based HTTP client library built upon the Apache 
@@ -32,6 +33,15 @@ developing applications that use %{name}.
 
 %prep
 %autosetup -n serf-%{version} -p1
+pushd test/server
+openssl req -x509 -newkey rsa:2048 -keyout serfrootcacert.pem -out serfrootcacert.pem -sha256 -days 3650 -nodes -subj "/C=BE/ST=Antwerp/L=Mechelen/O=In Serf we trust, Inc./OU=Test Suite Root CA/CN=Serf Root CA/emailAddress=serfrootca@example.com"
+openssl req -x509 -newkey rsa:2048 -keyout serfcacert.pem -out serfcacert.pem -sha256 -days 3650 -nodes -subj "/C=BE/ST=Antwerp/L=Mechelen/O=In Serf we trust, Inc./OU=Test Suite CA/CN=Serf CA/emailAddress=serfca@example.com" -CA serfrootcacert.pem -CAkey serfrootcacert.pem
+openssl req -x509 -newkey rsa:2048 -keyout serfserverkey.pem -out serfservercert.pem -sha256 -days 3650 -subj "/C=BE/ST=Antwerp/L=Mechelen/O=In Serf we trust, Inc./OU=Test Suite Server/CN=localhost/emailAddress=serfserver@example.com" -CA serfcacert.pem -CAkey serfcacert.pem -passout pass:serftest
+faketime '2050-12-24 08:15:42' openssl req -x509 -out serfserver_future_cert.pem -subj "/C=BE/ST=Antwerp/L=Mechelen/O=In Serf we trust, Inc./OU=Test Suite Server/CN=localhost/emailAddress=serfserver@example.com" -CA serfcacert.pem -CAkey serfcacert.pem -key serfserverkey.pem -days 30 -passout pass:serftest -passin pass:serftest
+faketime '1990-12-24 08:15:42' openssl req -x509 -out serfserver_expired_cert.pem -subj "/C=BE/ST=Antwerp/L=Mechelen/O=In Serf we trust, Inc./OU=Test Suite Server/CN=localhost/emailAddress=serfserver@example.com" -CA serfcacert.pem -CAkey serfcacert.pem -key serfserverkey.pem -days 30 -passout pass:serftest -passin pass:serftest
+openssl req -x509 -newkey rsa:2048 -keyout serfclientkey.pem -out serfclientcert.pem -sha256 -days 3650 --CA serfcacert.pem --CAkey serfcacert.pem -subj "/C=BE/ST=Antwerp/L=Mechelen/O=In Serf we trust, Inc./OU=Test Suite Client/CN=Serf Client/emailAddress=serfclient@example.com" --nodes
+openssl pkcs12 -export -in serfclientcert.pem -inkey serfclientkey.pem -out serfclientcert.p12 -passout pass:serftest
+popd
 
 %build
 %cmake -DCMAKE_INSTALL_LIBDIR=%{_libdir}
@@ -46,7 +56,7 @@ mv %{buildroot}%{_datadir}/pkgconfig/serf.pc %{buildroot}%{_libdir}/pkgconfig/se
 rm -rf %{buildroot}%{_datadir}
 
 %check
-%ctest || true
+%ctest
 
 %ldconfig_scriptlets
 
@@ -61,6 +71,10 @@ rm -rf %{buildroot}%{_datadir}
 %{_libdir}/pkgconfig/serf*.pc
 
 %changelog
+* Mon Feb 06 2023 Tomas Korbar <tkorbar@redhat.com> - 1.3.9-27
+- Fix testsuite
+- Resolves: rhbz#2166252
+
 * Tue Jan 31 2023 Tomas Korbar <tkorbar@redhat.com> - 1.3.9-26
 - Fix multihome server handling and backport cmake support
 - Related: rhbz#1130328