Update test suite to latest changes

 * Update test certificate to use SHA2 to avoid INSECURE error
 * Add certificate refresh dependency to Makefile
 * Add SASL SCRAM worng password test workaround
 * Suppress CRL verification tests as not supported by GIO-TLS
 * Fix summarise-tests.py to handle deprecations and new syntax

5 files changed, 49 insertions, 29 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 1b16bd1..b00e77c 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -44,6 +44,13 @@ TLSDEFS  := -DTLS_CA_KEY_FILE='"$(CA_KEY)"'      \
             -DTLS_BADWILD_KEY_FILE='"$(BADWILD_KEY)"'  \
             -DTLS_CRL_DIR='"$(CRL_DIR)"'         \
             -DTLS_CA_DIR='"$(CA_DIR)"'
+
+CA0S = $(BADWILD_CERT) $(WILD_CERT) $(TLS_CERT) $(NEW_CERT) $(EXP_CERT) $(REV_CERT) $(SS_CERT)
+
+certs: $(CA0S)
+
+$(CA0S): $(CERT_DIR)/%-cert.pem: $(CERT_DIR)/%-cert.cfg $(CA_CERT) $(CA_KEY)
+	certtool --generate-certificate --template $< --outfile $@ --load-privkey certs/$*-key.pem --load-ca-certificate $(CA_CERT) --load-ca-privkey $(CA_KEY)
 ############################################################################
 TEST_PROGS = \
   wocky-bare-contact-test \
@@ -248,7 +255,8 @@ test-report: test-report.xml
 test-report.xml: ${TEST_PROGS} test
 
 test: ${TEST_PROGS}
-	gtester -o test-report.xml -k --verbose ${TEST_PROGS}
+	G_TLS_GNUTLS_PRIORITY='NORMAL:%COMPAT:-VERS-TLS1.3' \
+	  gtester -o test-report.xml -k --verbose ${TEST_PROGS}
 	@if [ -x $(which python) ] ; then \
 		$(SUMMARY) $@-report.xml ; \
 	else \
diff --git a/tests/certs/tls-cert.pem b/tests/certs/tls-cert.pem
index 0a393c1..461d0f4 100644
--- a/tests/certs/tls-cert.pem
+++ b/tests/certs/tls-cert.pem
@@ -1,24 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEHDCCAwagAwIBAgIBAjALBgkqhkiG9w0BAQUwbDELMAkGA1UEBhMCVUsxEjAQ
-BgNVBAoTCUNvbGxhYm9yYTEZMBcGA1UECxMQV29ja3kgVGVzdCBTdWl0ZTERMA8G
-A1UECBMIQ29uZnVzZWQxGzAZBgNVBAMTEldvY2t5IFhNUFAgTGlicmFyeTAeFw0w
-OTA5MTgxMjU0MDdaFw0zNzA5MTExMjU0MDdaMGkxCzAJBgNVBAYTAlVLMRIwEAYD
-VQQKEwlDb2xsYWJvcmExGTAXBgNVBAsTEFdvY2t5IFRlc3QgU3VpdGUxDjAMBgNV
-BAgTBURhemVkMRswGQYDVQQDExJXb2NreSBYTVBQIExpYnJhcnkwggEfMAsGCSqG
-SIb3DQEBAQOCAQ4AMIIBCQKCAQDC30AXWnLcakXrq3rHIfy+0u7zNAmdRYw88MIA
-7wpZZ4LxMHMqu4YnnyysoRNI9wblCPkJ29XyBmhfLc9Gmnnl6phzf04n9x93Z8t9
-JHnnwqqJzdtxfuHsAWa/+2He3uNxWML+dUy/OB5iazPeCwKtqwmh57oLFLHkF+Dh
-hrweUkoQDDnJ/1xT0bHmdslQ9qnMIxhjDUoZ9TkAk+8PpsoHbPclfr6ytnCjGfLO
-oA9vWehPokTDvQPQmXc52vIFNp8A3h05jep3DBYzkG+WJcJRNhyxC0dzFqyrFJW2
-XMtCs0p1cPaHgXVPCe4icXLY48ehVaFvBR02K3jVQ7WketzxAgMBAAGjgdIwgc8w
-DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwIQYD
-VR0RBBowGIIQd2Vhc2VsLWp1aWNlLm9yZ4cEfwAAATAPBgNVHQ8BAf8EBQMDByAA
-MB0GA1UdDgQWBBRDAfw/7QRZO5a0qmJ75Oeo3hA01zAfBgNVHSMEGDAWgBRJMCYI
-jJrWac2LwMwOXAKOSh+mjDAsBgNVHR8EJTAjMCGgH6AdhhtmaWxlOi8vL3RtcC93
-b2NreS10ZXN0cy9jcmwwCwYJKoZIhvcNAQEFA4IBAQAIcwQ8FN7lnnQPm4al6y5v
-zrGzVSxkUuN+I8457E9ZAoFpItMGqWWKjjbOgjS3d95yJWmEW2eBVC3/LMEAvv4z
-Q6HkTRhafkiLWmXNa8DtbUq1cZ2hNrR1lNTOL4zXwg9JQbtFw0EAM7LfSgqHhTzs
-xO0AbXaO0TlbYkn9/amPCNQcFjg6Dgdm3x0T3g/tLQjtzjro/hdgYZqPng0MYBpG
-AUj99FwahI5D8cAPoUjtpxZOlsexz4r8UVGNRvL0Wqg57w8KKF7GVr15b2ZAeQwo
-pNJkMSXAyPpKW24Q06zwYFnC+Cp32udf2wIB9FEC3zNQugUbtFitHzPjzhum13iR
+MIIELTCCAxWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVSzES
+MBAGA1UEChMJQ29sbGFib3JhMRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMREw
+DwYDVQQIEwhDb25mdXNlZDEbMBkGA1UEAxMSV29ja3kgWE1QUCBMaWJyYXJ5MB4X
+DTIwMDUxMDIwMTI0NVoXDTQ4MDUwMzIwMTI0NVowaTEbMBkGA1UEAxMSV29ja3kg
+WE1QUCBMaWJyYXJ5MRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMRIwEAYDVQQK
+EwlDb2xsYWJvcmExDjAMBgNVBAgTBURhemVkMQswCQYDVQQGEwJVSzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLfQBdactxqReuresch/L7S7vM0CZ1F
+jDzwwgDvCllngvEwcyq7hiefLKyhE0j3BuUI+Qnb1fIGaF8tz0aaeeXqmHN/Tif3
+H3dny30keefCqonN23F+4ewBZr/7Yd7e43FYwv51TL84HmJrM94LAq2rCaHnugsU
+seQX4OGGvB5SShAMOcn/XFPRseZ2yVD2qcwjGGMNShn1OQCT7w+mygds9yV+vrK2
+cKMZ8s6gD29Z6E+iRMO9A9CZdzna8gU2nwDeHTmN6ncMFjOQb5YlwlE2HLELR3MW
+rKsUlbZcy0KzSnVw9oeBdU8J7iJxctjjx6FVoW8FHTYreNVDtaR63PECAwEAAaOB
+3DCB2TAMBgNVHRMBAf8EAjAAMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcD
+AQYIKwYBBQUHAwgwIQYDVR0RBBowGIIQd2Vhc2VsLWp1aWNlLm9yZ4cEfwAAATAP
+BgNVHQ8BAf8EBQMDByAAMB0GA1UdDgQWBBSnm0ure0FMVwcbd37kVDoq2IC49zAf
+BgNVHSMEGDAWgBRJMCYIjJrWac2LwMwOXAKOSh+mjDAsBgNVHR8EJTAjMCGgH6Ad
+hhtmaWxlOi8vL3RtcC93b2NreS10ZXN0cy9jcmwwDQYJKoZIhvcNAQELBQADggEB
+AFujRXAlEdlLW/QcedCfloA5OCFhDhMQSScu/QHTirgQ7yuFpS0XEeWkfWbgv3Iz
+q0StLZdDbd8xLU47boiOYx6fep6aKwRsomeewIoydxvBWLmgX8u+Re5BzWiDXif+
+w0xbiIuL5/vRADs2XpMNjC8hRlDQ0DiwO4zQ7JdfXuULZI6fnmLFXBGHn4ROModv
+ihbnALXBphRhS6Jx2vPT9vSUcl1EodxXkAevL1gAGpx/h9AY0C8hg4mgt1KBgUMh
+yPtDiUUji/mssUVS+ovCDIwNxUdJmjnVHwuyheroU1DHLKuNLywv6anzchtbpQSb
+AArp9feDlebDbxJf7hu+zck=
 -----END CERTIFICATE-----
diff --git a/tests/summarise-tests.py b/tests/summarise-tests.py
index 684635e..abe62f0 100755
--- a/tests/summarise-tests.py
+++ b/tests/summarise-tests.py
@@ -26,11 +26,11 @@ def process(testbinary):
     return (cases, failures)
 
 doc = minidom.parse(sys.argv[1])
-
+rep = doc.childNodes[0] if doc.childNodes[0].nodeType == doc.childNodes[0].ELEMENT_NODE else doc.childNodes[1]
 okay = True
 
 tests = {}
-for e in doc.childNodes[0].childNodes:
+for e in rep.childNodes:
     if e.nodeType != e.ELEMENT_NODE or e.localName != 'testbinary':
         continue
     path = e.getAttribute("path")
@@ -39,17 +39,17 @@ for e in doc.childNodes[0].childNodes:
     ocases, ofailures = tests.get (path, [ 0, []])
     tests[path] = [ ocases + cases, ofailures + failures ]
 
-for name, [cases, failures] in tests.iteritems():
+for name, [cases, failures] in tests.items():
     if failures == []:
         result = 'PASS'
     else:
         result = 'FAIL'
         okay = False
 
-    print "%s: %s: %u/%u tests passed" % (result, name, cases - len (failures), cases)
+    print("%s: %s: %u/%u tests passed" % (result, name, cases - len (failures), cases))
     for f in failures:
-        print "\tFailure: %s" % f
+        print("\tFailure: %s" % f)
 
 if not okay:
-    print "Disaster! Calamity!"
+    print("Disaster! Calamity!")
     sys.exit(1)
diff --git a/tests/wocky-connector-test.c b/tests/wocky-connector-test.c
index fae3922..f985406 100644
--- a/tests/wocky-connector-test.c
+++ b/tests/wocky-connector-test.c
@@ -2821,6 +2821,7 @@ test_t tests[] =
           { "moose@weasel-juice.org", "something", PLAIN, TLS },
           { NULL, 0, XMPP_V1, STARTTLS, CERT_CHECK_STRICT, TLS_CA_DIR } } },
 
+#ifdef GIO_TLS_CRL_ENABLED
     { "/connector/cert-verification/tls/revoked/fail",
       QUIET,
       { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_REVOKED, -1 },
@@ -2844,6 +2845,7 @@ test_t tests[] =
         { TLS_REQUIRED,
           { "moose@weasel-juice.org", "something", PLAIN, TLS },
           { NULL, 0, XMPP_V1, STARTTLS, CERT_CHECK_LENIENT, TLS_CA_DIR } } },
+#endif /* GIO_TLS_CRL_ENABLED */
 
     /* ********************************************************************* */
     /* as above but with legacy ssl                                          */
@@ -2991,6 +2993,7 @@ test_t tests[] =
           { "moose@weasel-juice.org", "something", PLAIN, TLS },
           { NULL, 0, XMPP_V1, OLD_SSL, CERT_CHECK_STRICT, TLS_CA_DIR } } },
 
+#ifdef GIO_TLS_CRL_ENABLED
     { "/connector/cert-verification/ssl/revoked/fail",
       QUIET,
       { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_REVOKED, -1 },
@@ -3014,6 +3017,7 @@ test_t tests[] =
         { TLS_REQUIRED,
           { "moose@weasel-juice.org", "something", PLAIN, TLS },
           { NULL, 0, XMPP_V1, OLD_SSL, CERT_CHECK_LENIENT, TLS_CA_DIR } } },
+#endif /* GIO_TLS_CRL_ENABLED */
 
     /* ********************************************************************* */
     /* certificate non-verification tests                                    */
diff --git a/tests/wocky-test-sasl-auth-server.c b/tests/wocky-test-sasl-auth-server.c
index 375cc94..c76a658 100644
--- a/tests/wocky-test-sasl-auth-server.c
+++ b/tests/wocky-test-sasl-auth-server.c
@@ -494,6 +494,13 @@ check_sasl_return (TestSaslAuthServer *self, int ret)
         g_assert_cmpint (priv->problem, ==, SERVER_PROBLEM_INVALID_PASSWORD);
         not_authorized (self);
         return FALSE;
+#if SASL_VERSION_FULL <= 0x02011B
+      case SASL_BADPROT:
+        /* Bad password provided - scram pre #545 */
+        g_assert_cmpint (priv->problem, ==, SERVER_PROBLEM_INVALID_PASSWORD);
+        not_authorized (self);
+        return FALSE;
+#endif /* SASL_VERSION_FULL */
       case SASL_NOUSER:
         /* Unknown user */
         g_assert_cmpint (priv->problem, ==, SERVER_PROBLEM_INVALID_USERNAME);