From 58c3df3b3c298b9ce0e88c47f4867ec3a31309fe Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sat, 19 Apr 2014 17:47:40 +0100
Subject: [PATCH] add test to verify ssl failure without client certificate

---
 pam/auth_client_test.cc | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/pam/auth_client_test.cc b/pam/auth_client_test.cc
index 1ca19da..7693517 100644
--- a/pam/auth_client_test.cc
+++ b/pam/auth_client_test.cc
@@ -60,6 +60,30 @@ TEST(AuthClient, AuthOK) {
   auth_client_free(ac);
 }
 
+TEST(AuthClient, SSLFailsWithBadCertificate) {
+  auth_client_t ac;
+  int result;
+
+  ac = auth_client_new("service", server);
+  ASSERT_TRUE(ac != NULL);
+
+  auth_client_set_verbose(ac, 1);
+
+  // We can't tell auth_client to make an https request without a
+  // client certificate, but we can try to force a failure by
+  // providing a bad (unloadable) certificate, for example one where
+  // the private and public keys do not match. In this case,
+  // auth_client_set_certificate() should still succeed, since it
+  // doesn't perform this kind of correctness check.
+  result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
+  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
+
+  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+  EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
+
+  auth_client_free(ac);
+}
+
 int main(int argc, char **argv) {
   server = getenv("AUTH_SERVER");
   if (server == NULL) {
-- 
GitLab