Annotate openssl too.

CVS patchset: 7533 CVS date: 2004/11/01 16:54:50
2004-11-01 16:54:50 +00:00 · 2004-11-01 16:54:50 +00:00 · af723bb934
parent 85d28994b9
commit af723bb934
15 changed files with 104 additions and 69 deletions
--- a/neon/neon-config.in
+++ b/neon/neon-config.in
@ -71,11 +71,6 @@ while test $# -gt 0; do

    --libs)
 	LIBS="-lneon @NEON_LIBS@"
-	# Don't add standard library paths
-	case "${libdir}" in
-	/usr/lib|/lib) ;;
-	*) LIBS="-L${libdir} ${LIBS}" ;;
-	esac
 	echo @user_LDFLAGS@ ${LIBS}
 	;;

--- a/neon/src/.splintrc
+++ b/neon/src/.splintrc
@ -1,4 +1,4 @@
-I. -I.. -I../../expat/lib -I../../zlib -DHAVE_CONFIG_H -D_LARGFILE_SOURCE
+-I. -I.. -I../../expat/lib -I../../zlib -DHAVE_CONFIG_H -D_LARGFILE_SOURCE -D__i386__ -DINT_MAX=0x7fffffffL -DSHRT_MAX=0x7fff

 +partial
 +forcehints
@ -31,6 +31,7 @@
 -infloops		# 1
 -infloopsuncon		# 1
 -initallelements	# 3
+-matchfields
 -mayaliasunique		# 4
 -modfilesys		# 12
 -modnomods		# 1
@ -56,6 +57,7 @@
 -immediatetrans		# 5
 -kepttrans		# 5
 -observertrans		# 5
+-onlytrans
 -readonlytrans		# 1
 -statictrans		# 1
 -temptrans		# 46
--- a/neon/src/ne_alloc.h
+++ b/neon/src/ne_alloc.h
@ -42,11 +42,24 @@ void ne_oom_callback(void (*callback)(void))
 * neon will abort(); calling an OOM callback beforehand if one is
 * registered.  The C library will only ever return NULL if the
 * operating system does not use optimistic memory allocation. */
-void *ne_malloc(size_t size) ne_attribute_malloc;
-void *ne_calloc(size_t size) ne_attribute_malloc;
-void *ne_realloc(void *ptr, size_t s) ne_attribute_malloc;
-char *ne_strdup(const char *s) ne_attribute_malloc;
-char *ne_strndup(const char *s, size_t n) ne_attribute_malloc;
+/*@mayexit@*/ /*@only@*/ /*@out@*/
+void *ne_malloc(size_t size) ne_attribute_malloc
+	/*@globals errno @*/
+	/*@ensures maxSet(result) == (size - 1) @*/
+	/*@modifies errno @*/;
+/*@mayexit@*/ /*@only@*/
+void *ne_calloc(size_t size) ne_attribute_malloc
+	/*@*/;
+/*@mayexit@*/ /*@only@*/
+void *ne_realloc(void *ptr, size_t size) ne_attribute_malloc
+        /*@ensures maxSet(result) == (size - 1) @*/
+        /*@modifies *ptr @*/;
+/*@mayexit@*/ /*@only@*/
+char *ne_strdup(const char *s) ne_attribute_malloc
+	/*@*/;
+/*@mayexit@*/ /*@only@*/
+char *ne_strndup(const char *s, size_t n) ne_attribute_malloc
+	/*@*/;
 #define ne_free free
 #endif

--- a/neon/src/ne_openssl.c
+++ b/neon/src/ne_openssl.c
@ -142,9 +142,11 @@ void ne_ssl_clicert_free(ne_ssl_client_cert *cc)

 /* Map a server cert verification into a string. */
 static void verify_err(ne_session *sess, int failures)
+	/*@modifies sess @*/
 {
    struct {
 	int bit;
+/*@observer@*/
 	const char *str;
    } reasons[] = {
 	{ NE_SSL_NOTYETVALID, N_("certificate is not yet valid") },
@ -170,6 +172,7 @@ static void verify_err(ne_session *sess, int failures)
 /* Format an ASN1 time to a string. 'buf' must be at least of size
 * 'NE_SSL_VDATELEN'. */
 static void asn1time_to_string(ASN1_TIME *tm, char *buf)
+	/*@modifies buf @*/
 {
    BIO *bio;
    
@ -197,6 +200,7 @@ void ne_ssl_cert_validity(const ne_ssl_certificate *cert,
 * used for session (hostname).  (Wildcard matching is no longer
 * mandated by RFC3280, but certs are deployed which use wildcards) */
 static int match_hostname(char *cn, const char *hostname)
+	/*@modifies cn @*/
 {
    const char *dot;
    NE_DEBUG(NE_DBG_SSL, "Match %s on %s...\n", cn, hostname);
@ -219,7 +223,9 @@ static int match_hostname(char *cn, const char *hostname)
 * identity does not match, or <0 if the certificate had no identity.
 * If 'identity' is non-NULL, store the malloc-allocated identity in
 * *identity. */
+/*@-modunconnomods@*/
 static int check_identity(const char *hostname, X509 *cert, char **identity)
+	/*@modifies *identity @*/
 {
    STACK_OF(GENERAL_NAME) *names;
    int match = 0, found = 0;
@ -300,9 +306,12 @@ static int check_identity(const char *hostname, X509 *cert, char **identity)
             match ? "good" : "bad");
    return match ? 0 : 1;
 }
+/*@=modunconnomods@*/

 /* Populate an ne_ssl_certificate structure from an X509 object. */
+/*@-modunconnomods@*/
 static ne_ssl_certificate *populate_cert(ne_ssl_certificate *cert, X509 *x5)
+	/*@modifies cert @*/
 {
    cert->subj_dn.dn = X509_get_subject_name(x5);
    cert->issuer_dn.dn = X509_get_issuer_name(x5);
@ -313,9 +322,12 @@ static ne_ssl_certificate *populate_cert(ne_ssl_certificate *cert, X509 *x5)
    check_identity("", x5, &cert->identity);
    return cert;
 }
+/*@=modunconnomods@*/

 /* Return a linked list of certificate objects from an OpenSSL chain. */
+/*@-modunconnomods@*/
 static ne_ssl_certificate *make_chain(STACK_OF(X509) *chain)
+	/*@*/
 {
    int n, count = sk_X509_num(chain);
    ne_ssl_certificate *top = NULL, *current = NULL;
@ -341,9 +353,12 @@ static ne_ssl_certificate *make_chain(STACK_OF(X509) *chain)

    return top;
 }
+/*@=modunconnomods@*/

 /* Verifies an SSL server certificate. */
+/*@-modunconnomods@*/
 static int check_certificate(ne_session *sess, SSL *ssl, ne_ssl_certificate *chain)
+	/*@modifies sess @*/
 {
    X509 *cert = chain->subject;
    ASN1_TIME *notBefore = X509_get_notBefore(cert);
@ -413,9 +428,11 @@ static int check_certificate(ne_session *sess, SSL *ssl, ne_ssl_certificate *cha

    return ret;
 }
+/*@=modunconnomods@*/

 /* Duplicate a client certificate, which must be in the decrypted state. */
 static ne_ssl_client_cert *dup_client_cert(const ne_ssl_client_cert *cc)
+	/*@modifies cc @*/
 {
    ne_ssl_client_cert *newcc = ne_calloc(sizeof *newcc);
    
@ -432,7 +449,9 @@ static ne_ssl_client_cert *dup_client_cert(const ne_ssl_client_cert *cc)
 }

 /* Callback invoked when the SSL server requests a client certificate.  */
+/*@-modunconnomods@*/
 static int provide_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey)
+	/*@modifies *cert, *pkey @*/
 {
    ne_ssl_context *ctx = SSL_get_app_data(ssl);
    ne_session *sess = SSL_CTX_get_app_data(ctx->ctx);
@ -476,6 +495,7 @@ static int provide_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey)
 	return 0;
    }
 }
+/*@=modunconnomods@*/

 void ne_ssl_set_clicert(ne_session *sess, const ne_ssl_client_cert *cc)
 {
@ -659,6 +679,7 @@ void ne_ssl_trust_default_ca(ne_session *sess)

 /* Find a friendly name in a PKCS12 structure the hard way, without
 * decrypting the parts which are encrypted.. */
+/*@-modunconnomods@*/
 static char *find_friendly_name(PKCS12 *p12)
 {
    STACK_OF(PKCS7) *safes = PKCS12_unpack_authsafes(p12);
@ -690,6 +711,7 @@ static char *find_friendly_name(PKCS12 *p12)
    sk_PKCS7_pop_free(safes, PKCS7_free);
    return name;
 }
+/*@=modunconnomods@*/

 ne_ssl_client_cert *ne_ssl_clicert_read(const char *filename)
 {
--- a/neon/src/ne_request.c
+++ b/neon/src/ne_request.c
@ -1374,7 +1374,8 @@ ne_session *ne_get_session(const ne_request *req)
 /* Create a CONNECT tunnel through the proxy server.
 * Returns HTTP_* */
 static int proxy_tunnel(ne_session *sess)
-	/*@*/
+	/*@globals internalState @*/
+	/*@modifies sess, internalState @*/
 {
    /* Hack up an HTTP CONNECT request... */
    ne_request *req;
--- a/neon/src/ne_session.h
+++ b/neon/src/ne_session.h
@ -142,7 +142,7 @@ void ne_ssl_set_verify(ne_session *sess, ne_ssl_verify_fn fn, void *userdata)
 /* Use the given client certificate for the session.  The client cert
 * MUST be in the decrypted state, otherwise behaviour is undefined. */
 void ne_ssl_set_clicert(ne_session *sess, const ne_ssl_client_cert *clicert)
-	/*@modifies sess @*/;
+	/*@modifies sess, clicert @*/;

 /* Indicate that the certificate 'cert' is trusted; 'cert' is
 * duplicated internally and may be destroyed at will. */
--- a/neon/src/ne_socket.c
+++ b/neon/src/ne_socket.c
@ -525,7 +525,7 @@ static const struct iofns iofns_raw = { read_raw, write_raw, readable_raw };
 #ifdef HAVE_OPENSSL
 /* OpenSSL I/O function implementations. */
 static int readable_ossl(ne_socket *sock, int secs)
-	/*@*/
+	/*@modifies sock @*/
 {
    if (SSL_pending(sock->ssl))
 	return 0;
@ -534,7 +534,7 @@ static int readable_ossl(ne_socket *sock, int secs)

 /* SSL error handling, according to SSL_get_error(3). */
 static int error_ossl(ne_socket *sock, int sret)
-	/*@*/
+	/*@modifies sock @*/
 {
    int err = SSL_get_error(sock->ssl, sret), ret = NE_SOCK_ERROR;
    const char *str;
@ -576,8 +576,9 @@ static int error_ossl(ne_socket *sock, int sret)
 * accidentally passing a negative number, etc. */
 #define CAST2INT(n) (((n) > INT_MAX) ? INT_MAX : (n))

+/*@-mustmod@*/
 static ssize_t read_ossl(ne_socket *sock, char *buffer, size_t len)
-	/*@*/
+	/*@modifies sock, buffer @*/
 {
    int ret;

@ -590,9 +591,10 @@ static ssize_t read_ossl(ne_socket *sock, char *buffer, size_t len)

    return ret;
 }
+/*@=mustmod@*/

 static ssize_t write_ossl(ne_socket *sock, const char *data, size_t len)
-	/*@*/
+	/*@modifies sock @*/
 {
    int ret, ilen = CAST2INT(len);
    ret = SSL_write(sock->ssl, data, ilen);
--- a/neon/src/ne_socket.h
+++ b/neon/src/ne_socket.h
@ -212,12 +212,12 @@ int ne_service_lookup(const char *name)
 /* Negotiate an SSL connection on socket as an SSL server, using given
 * SSL context. */
 int ne_sock_accept_ssl(ne_socket *sock, ne_ssl_context *ctx)
-	/*@*/;
+	/*@modifies sock, ctx @*/;

 /* Negotiate an SSL connection on socket as an SSL client, using given
 * SSL context. */
 int ne_sock_connect_ssl(ne_socket *sock, ne_ssl_context *ctx)
-	/*@*/;
+	/*@modifies sock, ctx @*/;

 END_NEON_DECLS

--- a/neon/src/ne_ssl.h
+++ b/neon/src/ne_ssl.h
@ -106,7 +106,7 @@ int ne_ssl_cert_digest(const ne_ssl_certificate *cert, char *digest)
 * least NE_SSL_VDATELEN bytes in length. */
 void ne_ssl_cert_validity(const ne_ssl_certificate *cert,
                          char *from, char *until)
-	/*@*/;
+	/*@modifies from, until @*/;

 /* Returns zero if 'c1' and 'c2' refer to the same certificate, or
 * non-zero otherwise. */
@ -115,8 +115,8 @@ int ne_ssl_cert_cmp(const ne_ssl_certificate *c1,
 	/*@*/;

 /* Deallocate memory associated with certificate. */
-void ne_ssl_cert_free(ne_ssl_certificate *cert)
-	/*@*/;
+void ne_ssl_cert_free(/*@only@*/ ne_ssl_certificate *cert)
+	/*@modifies cert @*/;

 /* A client certificate (and private key). */
 typedef struct ne_ssl_client_cert_s ne_ssl_client_cert;
@ -142,7 +142,7 @@ int ne_ssl_clicert_encrypted(const ne_ssl_client_cert *ccert)
 * again with a different password.  For a ccert on which _encrypted()
 * returns 0, calling _decrypt results in undefined behaviour. */
 int ne_ssl_clicert_decrypt(ne_ssl_client_cert *ccert, const char *password)
-	/*@*/;
+	/*@modifies ccert @*/;

 /* Return the actual certificate part of the client certificate (never
 * returns NULL). */
@ -150,8 +150,8 @@ const ne_ssl_certificate *ne_ssl_clicert_owner(const ne_ssl_client_cert *ccert)
 	/*@*/;

 /* Deallocate memory associated with a client certificate. */
-void ne_ssl_clicert_free(ne_ssl_client_cert *ccert)
-	/*@*/;
+void ne_ssl_clicert_free(/*@only@*/ ne_ssl_client_cert *ccert)
+	/*@modifies ccert @*/;


 /* SSL context object.  The interfaces to manipulate an SSL context
@ -184,8 +184,8 @@ int ne_ssl_context_set_verify(ne_ssl_context *ctx, int required,
 	/*@*/;

 /* Destroy an SSL context. */
-void ne_ssl_context_destroy(ne_ssl_context *ctx)
-	/*@*/;
+void ne_ssl_context_destroy(/*@only@*/ ne_ssl_context *ctx)
+	/*@modifies ctx @*/;

 END_NEON_DECLS

--- a/neon/test/ca1.pem
+++ b/neon/test/ca1.pem
@ -3,13 +3,13 @@ MIICQTCCAeugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCR0Ix
 FTATBgNVBAgTDExpbmNvbG5zaGlyZTEQMA4GA1UEBxMHTGluY29sbjERMA8GA1UE
 ChMIQ0FzIEx0ZC4xGDAWBgNVBAsTD0ZpcnN0IFJhbmRvbSBDQTEaMBgGA1UEAxMR
 Zmlyc3QuZXhhbXBsZS5jb20xHjAcBgkqhkiG9w0BCQEWD25lb25Ad2ViZGF2Lm9y
-ZzAeFw0wNDEwMjkxMzEzNDdaFw0wNzA0MTcxMzEzNDdaMIGfMQswCQYDVQQGEwJH
+ZzAeFw0wNDExMDExNTAzMTNaFw0wNzA0MjAxNTAzMTNaMIGfMQswCQYDVQQGEwJH
 QjEVMBMGA1UECBMMTGluY29sbnNoaXJlMRAwDgYDVQQHEwdMaW5jb2xuMREwDwYD
 VQQKEwhDQXMgTHRkLjEYMBYGA1UECxMPRmlyc3QgUmFuZG9tIENBMRowGAYDVQQD
 ExFmaXJzdC5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbmVvbkB3ZWJkYXYu
 b3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPNFTmxnz4JZA+8+SonD0qWgSBPY
 WrNlH1FP+psm5EGZGmGJGvSDsk6HkyvstdopKF50UuEaJ263IorAhkmdGG0CAwEA
-AaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBAOvtDu4Cs6nj5DG1
-NG5gqCkrVWqvjSd1jzsxOJBoN9gk/d87rAzNCvK4dTkFf9btdRZwv5OZFJzKLcU8
-f7qzMnM=
+AaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBAAqqk1T3oQdI5Wqy
+W3chgRhhIbbIs7t5pmhqKgsGuDajJf5SVwrKfm7UY9TRI9L0P8KiECoh3OvzxbsG
+txt298w=
 -----END CERTIFICATE-----
--- a/neon/test/ca2.pem
+++ b/neon/test/ca2.pem
@ -3,13 +3,13 @@ MIICPzCCAemgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnjELMAkGA1UEBhMCR0Ix
 ETAPBgNVBAgTCENvcm53YWxsMREwDwYDVQQHEwhGYWxtb3V0aDERMA8GA1UEChMI
 Q0FzIEx0ZC4xGTAXBgNVBAsTEFNlY29uZCBSYW5kb20gQ0ExGzAZBgNVBAMTEnNl
 Y29uZC5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbmVvbkB3ZWJkYXYub3Jn
-MB4XDTA0MTAyOTEzMTM0N1oXDTA3MDQxNzEzMTM0N1owgZ4xCzAJBgNVBAYTAkdC
+MB4XDTA0MTEwMTE1MDMxM1oXDTA3MDQyMDE1MDMxM1owgZ4xCzAJBgNVBAYTAkdC
 MREwDwYDVQQIEwhDb3Jud2FsbDERMA8GA1UEBxMIRmFsbW91dGgxETAPBgNVBAoT
 CENBcyBMdGQuMRkwFwYDVQQLExBTZWNvbmQgUmFuZG9tIENBMRswGQYDVQQDExJz
 ZWNvbmQuZXhhbXBsZS5jb20xHjAcBgkqhkiG9w0BCQEWD25lb25Ad2ViZGF2Lm9y
 ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDzRU5sZ8+CWQPvPkqJw9KloEgT2Fqz
 ZR9RT/qbJuRBmRphiRr0g7JOh5Mr7LXaKShedFLhGidutyKKwIZJnRhtAgMBAAGj
-EDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADQQANIBQyploOs1JrmzZu
-TATbjH6wsoEWdAUKs+UMuigRHskqK4j6PutoPWYFB+Ebxfh1miiaWS/KwFzWmPte
-iNeK
+EDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADQQBp0fpX6RKUfZ58TAAp
+w0JHXYgWHOcz7VpxAxh95lHM5dZiFXWLfisrugIjMInpvQZuoP/Cem0XA2vj89Af
+d+zA
 -----END CERTIFICATE-----
--- a/neon/test/ca3.pem
+++ b/neon/test/ca3.pem
@ -3,12 +3,12 @@ MIICNzCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCR0Ix
 EDAOBgNVBAgTB1N1ZmZvbGsxEDAOBgNVBAcTB0lwc3dpY2gxETAPBgNVBAoTCENB
 cyBMdGQuMRgwFgYDVQQLEw9UaGlyZCBSYW5kb20gQ0ExGjAYBgNVBAMTEXRoaXJk
 LmV4YW1wbGUuY29tMR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcwHhcN
-MDQxMDI5MTMxMzQ3WhcNMDcwNDE3MTMxMzQ3WjCBmjELMAkGA1UEBhMCR0IxEDAO
+MDQxMTAxMTUwMzEzWhcNMDcwNDIwMTUwMzEzWjCBmjELMAkGA1UEBhMCR0IxEDAO
 BgNVBAgTB1N1ZmZvbGsxEDAOBgNVBAcTB0lwc3dpY2gxETAPBgNVBAoTCENBcyBM
 dGQuMRgwFgYDVQQLEw9UaGlyZCBSYW5kb20gQ0ExGjAYBgNVBAMTEXRoaXJkLmV4
 YW1wbGUuY29tMR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcwXDANBgkq
 hkiG9w0BAQEFAANLADBIAkEA80VObGfPglkD7z5KicPSpaBIE9has2UfUU/6mybk
 QZkaYYka9IOyToeTK+y12ikoXnRS4RonbrciisCGSZ0YbQIDAQABoxAwDjAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAwL7CNh2/1USUCHz55X/5BmySC1UJ
-mImoh0DD0LocIQJUjGsScm3M8HXarGxl6Vfkklt/k2TMAy6YCTv+1/dazw==
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAS9S1VrowKJt9GIozWcsq1hD9XX+F
+h0m7o7WudpVzjMhhbU97DJ7p2XFz5sKNpyPwRhkFTJ4Zm5XSTEc8WcsWBw==
 -----END CERTIFICATE-----
--- a/neon/test/ca4.pem
+++ b/neon/test/ca4.pem
@ -3,12 +3,12 @@ MIICOzCCAeWgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDELMAkGA1UEBhMCR0Ix
 EDAOBgNVBAgTB05vcmZvbGsxEDAOBgNVBAcTB05vcndpY2gxETAPBgNVBAoTCENB
 cyBMdGQuMRkwFwYDVQQLExBGb3VydGggUmFuZG9tIENBMRswGQYDVQQDExJmb3Vy
 dGguZXhhbXBsZS5jb20xHjAcBgkqhkiG9w0BCQEWD25lb25Ad2ViZGF2Lm9yZzAe
-Fw0wNDEwMjkxMzEzNDdaFw0wNzA0MTcxMzEzNDdaMIGcMQswCQYDVQQGEwJHQjEQ
+Fw0wNDExMDExNTAzMTNaFw0wNzA0MjAxNTAzMTNaMIGcMQswCQYDVQQGEwJHQjEQ
 MA4GA1UECBMHTm9yZm9sazEQMA4GA1UEBxMHTm9yd2ljaDERMA8GA1UEChMIQ0Fz
 IEx0ZC4xGTAXBgNVBAsTEEZvdXJ0aCBSYW5kb20gQ0ExGzAZBgNVBAMTEmZvdXJ0
 aC5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbmVvbkB3ZWJkYXYub3JnMFww
 DQYJKoZIhvcNAQEBBQADSwAwSAJBAPNFTmxnz4JZA+8+SonD0qWgSBPYWrNlH1FP
 +psm5EGZGmGJGvSDsk6HkyvstdopKF50UuEaJ263IorAhkmdGG0CAwEAAaMQMA4w
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBAMxApCvWUMkO47bO/Cpy6ow2
-BTb8BQW+NeSXV3EIlu1IPVJ9e1pcfTtVP5z5bseeUQSMcRWwEbV3Aie+a5xsT9Y=
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBADZrHP9K8nS2WFiVBQgzljbN
+aeP00s2BF/fBZjhqi94FmP07SHEcLBRuN+cK4J3ThuDOqc6C6cFjP/o+dfF1T2M=
 -----END CERTIFICATE-----
--- a/neon/test/calist.pem
+++ b/neon/test/calist.pem
@ -3,56 +3,56 @@ MIICQTCCAeugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCR0Ix
 FTATBgNVBAgTDExpbmNvbG5zaGlyZTEQMA4GA1UEBxMHTGluY29sbjERMA8GA1UE
 ChMIQ0FzIEx0ZC4xGDAWBgNVBAsTD0ZpcnN0IFJhbmRvbSBDQTEaMBgGA1UEAxMR
 Zmlyc3QuZXhhbXBsZS5jb20xHjAcBgkqhkiG9w0BCQEWD25lb25Ad2ViZGF2Lm9y
-ZzAeFw0wNDEwMjkxMzEzNDdaFw0wNzA0MTcxMzEzNDdaMIGfMQswCQYDVQQGEwJH
+ZzAeFw0wNDExMDExNTAzMTNaFw0wNzA0MjAxNTAzMTNaMIGfMQswCQYDVQQGEwJH
 QjEVMBMGA1UECBMMTGluY29sbnNoaXJlMRAwDgYDVQQHEwdMaW5jb2xuMREwDwYD
 VQQKEwhDQXMgTHRkLjEYMBYGA1UECxMPRmlyc3QgUmFuZG9tIENBMRowGAYDVQQD
 ExFmaXJzdC5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbmVvbkB3ZWJkYXYu
 b3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPNFTmxnz4JZA+8+SonD0qWgSBPY
 WrNlH1FP+psm5EGZGmGJGvSDsk6HkyvstdopKF50UuEaJ263IorAhkmdGG0CAwEA
-AaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBAOvtDu4Cs6nj5DG1
-NG5gqCkrVWqvjSd1jzsxOJBoN9gk/d87rAzNCvK4dTkFf9btdRZwv5OZFJzKLcU8
-f7qzMnM=
+AaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBAAqqk1T3oQdI5Wqy
+W3chgRhhIbbIs7t5pmhqKgsGuDajJf5SVwrKfm7UY9TRI9L0P8KiECoh3OvzxbsG
+txt298w=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICPzCCAemgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnjELMAkGA1UEBhMCR0Ix
 ETAPBgNVBAgTCENvcm53YWxsMREwDwYDVQQHEwhGYWxtb3V0aDERMA8GA1UEChMI
 Q0FzIEx0ZC4xGTAXBgNVBAsTEFNlY29uZCBSYW5kb20gQ0ExGzAZBgNVBAMTEnNl
 Y29uZC5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbmVvbkB3ZWJkYXYub3Jn
-MB4XDTA0MTAyOTEzMTM0N1oXDTA3MDQxNzEzMTM0N1owgZ4xCzAJBgNVBAYTAkdC
+MB4XDTA0MTEwMTE1MDMxM1oXDTA3MDQyMDE1MDMxM1owgZ4xCzAJBgNVBAYTAkdC
 MREwDwYDVQQIEwhDb3Jud2FsbDERMA8GA1UEBxMIRmFsbW91dGgxETAPBgNVBAoT
 CENBcyBMdGQuMRkwFwYDVQQLExBTZWNvbmQgUmFuZG9tIENBMRswGQYDVQQDExJz
 ZWNvbmQuZXhhbXBsZS5jb20xHjAcBgkqhkiG9w0BCQEWD25lb25Ad2ViZGF2Lm9y
 ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDzRU5sZ8+CWQPvPkqJw9KloEgT2Fqz
 ZR9RT/qbJuRBmRphiRr0g7JOh5Mr7LXaKShedFLhGidutyKKwIZJnRhtAgMBAAGj
-EDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADQQANIBQyploOs1JrmzZu
-TATbjH6wsoEWdAUKs+UMuigRHskqK4j6PutoPWYFB+Ebxfh1miiaWS/KwFzWmPte
-iNeK
+EDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADQQBp0fpX6RKUfZ58TAAp
+w0JHXYgWHOcz7VpxAxh95lHM5dZiFXWLfisrugIjMInpvQZuoP/Cem0XA2vj89Af
+d+zA
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICNzCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCR0Ix
 EDAOBgNVBAgTB1N1ZmZvbGsxEDAOBgNVBAcTB0lwc3dpY2gxETAPBgNVBAoTCENB
 cyBMdGQuMRgwFgYDVQQLEw9UaGlyZCBSYW5kb20gQ0ExGjAYBgNVBAMTEXRoaXJk
 LmV4YW1wbGUuY29tMR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcwHhcN
-MDQxMDI5MTMxMzQ3WhcNMDcwNDE3MTMxMzQ3WjCBmjELMAkGA1UEBhMCR0IxEDAO
+MDQxMTAxMTUwMzEzWhcNMDcwNDIwMTUwMzEzWjCBmjELMAkGA1UEBhMCR0IxEDAO
 BgNVBAgTB1N1ZmZvbGsxEDAOBgNVBAcTB0lwc3dpY2gxETAPBgNVBAoTCENBcyBM
 dGQuMRgwFgYDVQQLEw9UaGlyZCBSYW5kb20gQ0ExGjAYBgNVBAMTEXRoaXJkLmV4
 YW1wbGUuY29tMR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcwXDANBgkq
 hkiG9w0BAQEFAANLADBIAkEA80VObGfPglkD7z5KicPSpaBIE9has2UfUU/6mybk
 QZkaYYka9IOyToeTK+y12ikoXnRS4RonbrciisCGSZ0YbQIDAQABoxAwDjAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAwL7CNh2/1USUCHz55X/5BmySC1UJ
-mImoh0DD0LocIQJUjGsScm3M8HXarGxl6Vfkklt/k2TMAy6YCTv+1/dazw==
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAS9S1VrowKJt9GIozWcsq1hD9XX+F
+h0m7o7WudpVzjMhhbU97DJ7p2XFz5sKNpyPwRhkFTJ4Zm5XSTEc8WcsWBw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICOzCCAeWgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDELMAkGA1UEBhMCR0Ix
 EDAOBgNVBAgTB05vcmZvbGsxEDAOBgNVBAcTB05vcndpY2gxETAPBgNVBAoTCENB
 cyBMdGQuMRkwFwYDVQQLExBGb3VydGggUmFuZG9tIENBMRswGQYDVQQDExJmb3Vy
 dGguZXhhbXBsZS5jb20xHjAcBgkqhkiG9w0BCQEWD25lb25Ad2ViZGF2Lm9yZzAe
-Fw0wNDEwMjkxMzEzNDdaFw0wNzA0MTcxMzEzNDdaMIGcMQswCQYDVQQGEwJHQjEQ
+Fw0wNDExMDExNTAzMTNaFw0wNzA0MjAxNTAzMTNaMIGcMQswCQYDVQQGEwJHQjEQ
 MA4GA1UECBMHTm9yZm9sazEQMA4GA1UEBxMHTm9yd2ljaDERMA8GA1UEChMIQ0Fz
 IEx0ZC4xGTAXBgNVBAsTEEZvdXJ0aCBSYW5kb20gQ0ExGzAZBgNVBAMTEmZvdXJ0
 aC5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbmVvbkB3ZWJkYXYub3JnMFww
 DQYJKoZIhvcNAQEBBQADSwAwSAJBAPNFTmxnz4JZA+8+SonD0qWgSBPYWrNlH1FP
 +psm5EGZGmGJGvSDsk6HkyvstdopKF50UuEaJ263IorAhkmdGG0CAwEAAaMQMA4w
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBAMxApCvWUMkO47bO/Cpy6ow2
-BTb8BQW+NeSXV3EIlu1IPVJ9e1pcfTtVP5z5bseeUQSMcRWwEbV3Aie+a5xsT9Y=
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANBADZrHP9K8nS2WFiVBQgzljbN
+aeP00s2BF/fBZjhqi94FmP07SHEcLBRuN+cK4J3ThuDOqc6C6cFjP/o+dfF1T2M=
 -----END CERTIFICATE-----
--- a/neon/test/chain.pem
+++ b/neon/test/chain.pem
@ -3,14 +3,14 @@ MIICNzCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCVVMx
 EzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxEDAOBgNVBAoT
 B05lb3NpZ24xFDASBgNVBAsTC1JhbmRvbSBEZXB0MRwwGgYDVQQDExNub3doZXJl
 LmV4YW1wbGUuY29tMR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcwHhcN
-MDQxMDI5MTMxMzQ3WhcNMDcwNDE3MTMxMzQ3WjCBmjELMAkGA1UEBhMCVVMxEzAR
+MDQxMTAxMTUwMzEzWhcNMDcwNDIwMTUwMzEzWjCBmjELMAkGA1UEBhMCVVMxEzAR
 BgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxEDAOBgNVBAoTB05l
 b3NpZ24xFDASBgNVBAsTC1JhbmRvbSBEZXB0MRwwGgYDVQQDExNub3doZXJlLmV4
 YW1wbGUuY29tMR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcwXDANBgkq
-hkiG9w0BAQEFAANLADBIAkEAxZZK/iqR8mWCs0u3A4Vz58fik0B2RpVLF8LFmXuu
-XCDNR4bjCwcOJpd+zpHrxb7LKaUYIA9Y3g1i90qylbgJBwIDAQABoxAwDjAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAEGXxwEqcoz3uXP6/7QqmMhxDhrce
-xAGgVRXo546dK9XW3/E6HL7vM+euPnsF/Anhjv5PSRG5pLTy2hDE+r/QuQ==
+hkiG9w0BAQEFAANLADBIAkEAulGu4rv1AMHc4Nbf/Nwi9a5Yi4cOM+hpUpkXQ7Bk
+uAB2r2xlX5F0bQdlItnOHRsCQ5HSFEVXeIr3OFn998cIiQIDAQABoxAwDjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAJ4/6DGrb1MNN10RtYVc/gG8mEU64
+exTFjqe7lnmkGx/AJJ1oHM+YQ97rQyXppyYSARYO02bWJ3BRWPyy3jt1tg==
 -----END CERTIFICATE-----
 Certificate:
    Data:
@ -19,8 +19,8 @@ Certificate:
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=California, L=Oakland, O=Neosign, OU=Random Dept, CN=nowhere.example.com/emailAddress=neon@webdav.org
        Validity
-            Not Before: Oct 29 13:13:48 2004 GMT
-            Not After : Apr 17 13:13:48 2007 GMT
+            Not Before: Nov  1 15:03:13 2004 GMT
+            Not After : Apr 20 15:03:13 2007 GMT
        Subject: C=GB, ST=Cambridgeshire, L=Cambridge, O=Neon Hackers Ltd, OU=Neon QA Dept, CN=localhost/emailAddress=neon@webdav.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
@ -36,21 +36,21 @@ Certificate:
            X509v3 Basic Constraints: 
            CA:FALSE
    Signature Algorithm: md5WithRSAEncryption
-        7e:43:47:e7:a6:40:a3:c0:08:ac:79:15:8b:f3:6f:50:5b:27:
-        a4:10:8d:61:b8:17:00:95:1e:bf:93:30:d6:19:99:b1:d6:a2:
-        ef:25:b4:c8:c0:06:0b:84:05:af:ae:75:f1:01:6a:83:b9:01:
-        35:01:11:8f:8b:35:5b:dc:3b:09
+        47:f4:42:07:69:04:84:cd:c8:e2:92:6a:6c:f2:d6:2c:83:27:
+        fd:e1:72:8f:a7:46:90:8f:ce:83:5b:4c:f9:17:a5:dd:2a:cf:
+        e6:6f:b8:f4:98:78:f0:d5:ce:80:4a:68:76:2c:7e:24:c7:a2:
+        2e:2f:5e:3e:63:6d:8d:c6:ca:ab
 -----BEGIN CERTIFICATE-----
 MIICOjCCAeSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCVVMx
 EzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxEDAOBgNVBAoT
 B05lb3NpZ24xFDASBgNVBAsTC1JhbmRvbSBEZXB0MRwwGgYDVQQDExNub3doZXJl
 LmV4YW1wbGUuY29tMR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcwHhcN
-MDQxMDI5MTMxMzQ4WhcNMDcwNDE3MTMxMzQ4WjCBoDELMAkGA1UEBhMCR0IxFzAV
+MDQxMTAxMTUwMzEzWhcNMDcwNDIwMTUwMzEzWjCBoDELMAkGA1UEBhMCR0IxFzAV
 BgNVBAgTDkNhbWJyaWRnZXNoaXJlMRIwEAYDVQQHEwlDYW1icmlkZ2UxGTAXBgNV
 BAoTEE5lb24gSGFja2VycyBMdGQxFTATBgNVBAsTDE5lb24gUUEgRGVwdDESMBAG
 A1UEAxMJbG9jYWxob3N0MR4wHAYJKoZIhvcNAQkBFg9uZW9uQHdlYmRhdi5vcmcw
 XDANBgkqhkiG9w0BAQEFAANLADBIAkEA80VObGfPglkD7z5KicPSpaBIE9has2Uf
 UU/6mybkQZkaYYka9IOyToeTK+y12ikoXnRS4RonbrciisCGSZ0YbQIDAQABow0w
-CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBAUAA0EAfkNH56ZAo8AIrHkVi/NvUFsn
-pBCNYbgXAJUev5Mw1hmZsdai7yW0yMAGC4QFr6518QFqg7kBNQERj4s1W9w7CQ==
+CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBAUAA0EAR/RCB2kEhM3I4pJqbPLWLIMn
+/eFyj6dGkI/Og1tM+Rel3SrP5m+49Jh48NXOgEpodix+JMeiLi9ePmNtjcbKqw==
 -----END CERTIFICATE-----