Tests for sending large amounts of data over NNG TLS streams.

This also starts the test framework NNG streams, so that we can
test those more directly.

4 files changed, 385 insertions, 2 deletions

diff --git a/src/supplemental/tls/tls_common.c b/src/supplemental/tls/tls_common.c
index 7d89ea21..409c6600 100644
--- a/src/supplemental/tls/tls_common.c
+++ b/src/supplemental/tls/tls_common.c
@@ -1228,6 +1228,8 @@ nng_tls_engine_send(void *arg, const uint8_t *buf, size_t *szp)
 	// We are committed at this point to sending out len bytes.
 	// Update this now, so that we can use len to update.
 	*szp = len;
+	conn->tcp_send_len += len;
+	NNI_ASSERT(conn->tcp_send_len <= NNG_TLS_MAX_SEND_SIZE);
 
 	while (len > 0) {
 		if (head >= tail) {
@@ -1243,11 +1245,11 @@ nng_tls_engine_send(void *arg, const uint8_t *buf, size_t *szp)
 		buf += cnt;
 		head += cnt;
 		head %= NNG_TLS_MAX_SEND_SIZE;
-		conn->tcp_send_len += cnt;
-		conn->tcp_send_head = head;
 		len -= cnt;
 	}
 
+	conn->tcp_send_head = head;
+
 	tls_tcp_send_start(conn);
 	return (0);
 }
diff --git a/src/supplemental/tls/tls_test.c b/src/supplemental/tls/tls_test.c
index bd96ae08..4857c4c7 100644
--- a/src/supplemental/tls/tls_test.c
+++ b/src/supplemental/tls/tls_test.c
@@ -53,7 +53,109 @@ test_tls_config_version(void)
 	nng_tls_config_free(cfg);
 }
 
+void
+test_tls_conn_refused(void)
+{
+	nng_stream_dialer *dialer;
+	nng_aio *          aio;
+
+	TEST_NNG_PASS(nng_aio_alloc(&aio, NULL, NULL));
+	nng_aio_set_timeout(aio, 5000); // 5 sec
+
+	// port 8 is generally not used for anything.
+	TEST_NNG_PASS(
+	    nng_stream_dialer_alloc(&dialer, "tls+tcp://127.0.0.1:8"));
+	nng_stream_dialer_dial(dialer, aio);
+	nng_aio_wait(aio);
+	TEST_NNG_FAIL(nng_aio_result(aio), NNG_ECONNREFUSED);
+
+	nng_aio_free(aio);
+	nng_stream_dialer_free(dialer);
+}
+
+void
+test_tls_large_message(void)
+{
+	nng_stream_listener *l;
+	nng_stream_dialer *  d;
+	nng_aio *            aio1, *aio2;
+	nng_stream *         s1;
+	nng_stream *         s2;
+	nng_tls_config *     c1;
+	nng_tls_config *     c2;
+	char                 addr[32];
+	uint8_t *            buf1;
+	uint8_t *            buf2;
+	size_t               size = 450001;
+	void *               t1;
+	void *               t2;
+
+	// allocate messages
+	TEST_CHECK((buf1 = nng_alloc(size)) != NULL);
+	TEST_CHECK((buf2 = nng_alloc(size)) != NULL);
+
+	for (size_t i = 0; i < size; i++) {
+		buf1[i] = rand() & 0xff;
+	}
+
+	TEST_NNG_PASS(nng_aio_alloc(&aio1, NULL, NULL));
+	TEST_NNG_PASS(nng_aio_alloc(&aio2, NULL, NULL));
+	nng_aio_set_timeout(aio1, 5000);
+	nng_aio_set_timeout(aio2, 5000);
+
+	testutil_scratch_addr("tls+tcp", sizeof(addr), addr);
+
+	TEST_NNG_PASS(nng_stream_dialer_alloc(&d, addr));
+	TEST_NNG_PASS(nng_stream_listener_alloc(&l, addr));
+
+	// set up TLS parameters
+
+	TEST_NNG_PASS(nng_tls_config_alloc(&c1, NNG_TLS_MODE_SERVER));
+	TEST_NNG_PASS(nng_tls_config_own_cert(
+	    c1, testutil_server_crt, testutil_server_key, NULL));
+
+	TEST_NNG_PASS(nng_tls_config_alloc(&c2, NNG_TLS_MODE_CLIENT));
+	TEST_NNG_PASS(nng_tls_config_ca_chain(c2, testutil_server_crt, NULL));
+	TEST_NNG_PASS(nng_tls_config_server_name(c2, "localhost"));
+
+	TEST_NNG_PASS(nng_stream_listener_set_ptr(l, NNG_OPT_TLS_CONFIG, c1));
+	TEST_NNG_PASS(nng_stream_dialer_set_ptr(d, NNG_OPT_TLS_CONFIG, c2));
+
+	TEST_NNG_PASS(nng_stream_listener_listen(l));
+	nng_stream_listener_accept(l, aio1);
+	nng_stream_dialer_dial(d, aio2);
+
+	nng_aio_wait(aio1);
+	nng_aio_wait(aio2);
+
+	TEST_NNG_PASS(nng_aio_result(aio1));
+	TEST_NNG_PASS(nng_aio_result(aio2));
+
+	TEST_CHECK((s1 = nng_aio_get_output(aio1, 0)) != NULL);
+	TEST_CHECK((s2 = nng_aio_get_output(aio2, 0)) != NULL);
+
+	t1 = testutil_stream_send_start(s1, buf1, size);
+	t2 = testutil_stream_recv_start(s2, buf2, size);
+
+	TEST_NNG_PASS(testutil_stream_send_wait(t1));
+	TEST_NNG_PASS(testutil_stream_recv_wait(t2));
+	TEST_CHECK(memcmp(buf1, buf2, size) == 0);
+
+	nng_free(buf1, size);
+	nng_free(buf2, size);
+	nng_stream_free(s1);
+	nng_stream_free(s2);
+	nng_stream_dialer_free(d);
+	nng_stream_listener_free(l);
+	nng_tls_config_free(c1);
+	nng_tls_config_free(c2);
+	nng_aio_free(aio1);
+	nng_aio_free(aio2);
+}
+
 TEST_LIST = {
 	{ "tls config version", test_tls_config_version },
+	{ "tls conn refused", test_tls_conn_refused },
+	{ "tls large message", test_tls_large_message },
 	{ NULL, NULL },
 };
\ No newline at end of file
diff --git a/tests/testutil.c b/tests/testutil.c
index 2f6bf24d..4b20fc6a 100644
--- a/tests/testutil.c
+++ b/tests/testutil.c
@@ -389,3 +389,264 @@ done:
 	}
 	return (rv);
 }
+
+typedef struct {
+	uint8_t *   base;
+	size_t      rem;
+	nng_iov     iov;
+	nng_aio *   upper_aio;
+	nng_aio *   lower_aio;
+	nng_stream *s;
+	void (*submit)(nng_stream *, nng_aio *);
+} stream_xfr_t;
+
+static void
+stream_xfr_free(stream_xfr_t *x)
+{
+	if (x == NULL) {
+		return;
+	}
+	if (x->upper_aio != NULL) {
+		nng_aio_free(x->upper_aio);
+	}
+	if (x->lower_aio != NULL) {
+		nng_aio_free(x->lower_aio);
+	}
+	nng_free(x, sizeof(*x));
+}
+
+static void
+stream_xfr_start(stream_xfr_t *x)
+{
+	nng_iov iov;
+	iov.iov_buf = x->base;
+	iov.iov_len = x->rem;
+
+	nng_aio_set_iov(x->lower_aio, 1, &iov);
+	x->submit(x->s, x->lower_aio);
+}
+
+static void
+stream_xfr_cb(void *arg)
+{
+	stream_xfr_t *x = arg;
+	int           rv;
+	size_t        n;
+
+	rv = nng_aio_result(x->lower_aio);
+	if (rv != 0) {
+		nng_aio_finish(x->upper_aio, rv);
+		return;
+	}
+	n = nng_aio_count(x->lower_aio);
+
+	x->rem -= n;
+	x->base += n;
+
+	if (x->rem == 0) {
+		nng_aio_finish(x->upper_aio, 0);
+		return;
+	}
+
+	stream_xfr_start(x);
+}
+
+static stream_xfr_t *
+stream_xfr_alloc(nng_stream *s, void (*submit)(nng_stream *, nng_aio *),
+    void *buf, size_t size)
+{
+	stream_xfr_t *x;
+
+	if ((x = nng_alloc(size)) == NULL) {
+		return (NULL);
+	}
+	if (nng_aio_alloc(&x->upper_aio, NULL, NULL) != 0) {
+		stream_xfr_free(x);
+		return (NULL);
+	}
+	if (nng_aio_alloc(&x->lower_aio, stream_xfr_cb, x) != 0) {
+		stream_xfr_free(x);
+		return (NULL);
+	}
+
+	// Upper should not take more than 30 seconds, lower not more than 5.
+	nng_aio_set_timeout(x->upper_aio, 30000);
+	nng_aio_set_timeout(x->lower_aio, 5000);
+
+	nng_aio_begin(x->upper_aio);
+
+	x->s           = s;
+	x->rem         = size;
+	x->base        = buf;
+	x->submit      = submit;
+
+	return (x);
+}
+
+static int
+stream_xfr_wait(stream_xfr_t *x)
+{
+	int rv;
+	if (x == NULL) {
+		return (NNG_ENOMEM);
+	}
+	nng_aio_wait(x->upper_aio);
+	rv = nng_aio_result(x->upper_aio);
+	stream_xfr_free(x);
+	return (rv);
+}
+
+void *
+testutil_stream_recv_start(nng_stream *s, void *buf, size_t size)
+{
+	stream_xfr_t *x;
+
+	x = stream_xfr_alloc(s, nng_stream_recv, buf, size);
+	if (x == NULL) {
+		return (x);
+	}
+	stream_xfr_start(x);
+	return (x);
+}
+
+int
+testutil_stream_recv_wait(void *arg)
+{
+	return (stream_xfr_wait(arg));
+}
+
+void *
+testutil_stream_send_start(nng_stream *s, void *buf, size_t size)
+{
+	stream_xfr_t *x;
+
+	x = stream_xfr_alloc(s, nng_stream_send, buf, size);
+	if (x == NULL) {
+		return (x);
+	}
+	stream_xfr_start(x);
+	return (x);
+}
+
+int
+testutil_stream_send_wait(void *arg)
+{
+	return (stream_xfr_wait(arg));
+}
+
+// TLS certificates.  These are pre-generated, and should not be used outside
+// of these test cases.  They are all using RSA 2048 with SHA256.
+// All certs are signed by the root key (making the root self-signed).
+// They all expire in about 100 years -- so we don't have to worry about
+// expiration.
+//
+// The server cert uses CN 127.0.0.1.
+//
+// Country = XX
+// State = Utopia
+// Locality = Paradise
+// Organization = NNG Tests, Inc.
+//
+
+const char *testutil_server_key =
+    "-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEowIBAAKCAQEAyPdnRbMrQj9902TGQsmMbG6xTSl9XKbJr55BcnyZifsrqA7B\n"
+    "bNSkndVw9Qq+OJQIDBTfRhGdG+o9j3h6SDVvIb62fWtwJ5Fe0eUmeYwPc1PKQzOm\n"
+    "MFlMYekXiZsx60yu5LeuUhGlb84+csImH+m3NbutInPJcStSq0WfSV6VNk6DN353\n"
+    "5ex66zV2Ms6ikys1vCC434YqIpe1VxUh+IC2widJcLDCxmmJt3TOlx5f9OcKMkxu\n"
+    "H4fMAzgjIEpIrUjdb19CGNVvsNrEEB2CShBMgBdqMaAnKFxpKgfzS0JFulxRGNtp\n"
+    "srweki+j+a4sJXTv40kELkRQS6uB6wWZNjcPywIDAQABAoIBAQCGSUsot+BgFCzv\n"
+    "5JbWafb7Pbwb421xS8HZJ9Zzue6e1McHNVTqc+zLyqQAGX2iMMhvykKnf32L+anJ\n"
+    "BKgxOANaeSVYCUKYLfs+JfDfp0druMGexhR2mjT/99FSkfF5WXREQLiq/j+dxiLU\n"
+    "bActq+5QaWf3bYddp6VF7O/TBvCNqBfD0+S0o0wtBdvxXItrKPTD5iKr9JfLWdAt\n"
+    "YNAk2QgFywFtY5zc2wt4queghF9GHeBzzZCuVj9QvPA4WdVq0mePaPTmvTYQUD0j\n"
+    "GT6X5j9JhqCwfh7trb/HfkmLHwwc62zPDFps+Dxao80+vss5b/EYZ4zY3S/K3vpG\n"
+    "f/e42S2BAoGBAP51HQYFJGC/wsNtOcX8RtXnRo8eYmyboH6MtBFrZxWl6ERigKCN\n"
+    "5Tjni7EI3nwi3ONg0ENPFkoQ8h0bcVFS7iW5kz5te73WaOFtpkU9rmuFDUz37eLP\n"
+    "d+JLZ5Kwfn2FM9HoiSAZAHowE0MIlmmIEXSnFtqA2zzorPQLO/4QlR+VAoGBAMov\n"
+    "R0yaHg3qPlxmCNyLXKiGaGNzvsvWjYw825uCGmVZfhzDhOiCFMaMb51BS5Uw/gwm\n"
+    "zHxmJjoqak8JjxaQ1qKPoeY1TJ5ps1+TRq9Wzm2/zGqJHOXnRPlqwBQ6AFllAMgt\n"
+    "Rlp5uqb8QJ+YEo6/1kdGhw9kZWCZEEue6MNQjxnfAoGARLkUkZ+p54di7qz9QX+V\n"
+    "EghYgibOpk6R1hviNiIvwSUByhZgbvxjwC6pB7NBg31W8wIevU8K0g4plbrnq/Md\n"
+    "5opsPhwLo4XY5albkq/J/7f7k6ISWYN2+WMsIe4Q+42SJUsMXeLiwh1h1mTnWrEp\n"
+    "JbxK69CJZbXhoDe4iDGqVNECgYAjlgS3n9ywWE1XmAHxR3osk1OmRYYMfJv3VfLV\n"
+    "QSYCNqkyyNsIzXR4qdkvVYHHJZNhcibFsnkB/dsuRCFyOFX+0McPLMxqiXIv3U0w\n"
+    "qVe2C28gRTfX40fJmpdqN/c9xMBJe2aJoClRIM8DCBIkG/HMI8a719DcGrS6iqKv\n"
+    "VeuKAwKBgEgD+KWW1KtoSjCBlS0NP8HjC/Rq7j99YhKE6b9h2slIa7JTO8RZKCa0\n"
+    "qbuomdUeJA3R8h+5CFkEKWqO2/0+dUdLNOjG+CaTFHaUJevzHOzIjpn+VsfCLV13\n"
+    "yupGzHG+tGtdrWgLn9Dzdp67cDfSnsSh+KODPECAAFfo+wPvD8DS\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+const char *testutil_server_crt =
+    "-----BEGIN CERTIFICATE-----\n"
+    "MIIDRzCCAi8CFCOIJGs6plMawgBYdDuCRV7UuJuyMA0GCSqGSIb3DQEBCwUAMF8x\n"
+    "CzAJBgNVBAYTAlhYMQ8wDQYDVQQIDAZVdG9waWExETAPBgNVBAcMCFBhcmFkaXNl\n"
+    "MRgwFgYDVQQKDA9OTkcgVGVzdHMsIEluYy4xEjAQBgNVBAMMCWxvY2FsaG9zdDAg\n"
+    "Fw0yMDA1MjMyMzMxMTlaGA8yMTIwMDQyOTIzMzExOVowXzELMAkGA1UEBhMCWFgx\n"
+    "DzANBgNVBAgMBlV0b3BpYTERMA8GA1UEBwwIUGFyYWRpc2UxGDAWBgNVBAoMD05O\n"
+    "RyBUZXN0cywgSW5jLjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B\n"
+    "AQEFAAOCAQ8AMIIBCgKCAQEAyPdnRbMrQj9902TGQsmMbG6xTSl9XKbJr55BcnyZ\n"
+    "ifsrqA7BbNSkndVw9Qq+OJQIDBTfRhGdG+o9j3h6SDVvIb62fWtwJ5Fe0eUmeYwP\n"
+    "c1PKQzOmMFlMYekXiZsx60yu5LeuUhGlb84+csImH+m3NbutInPJcStSq0WfSV6V\n"
+    "Nk6DN3535ex66zV2Ms6ikys1vCC434YqIpe1VxUh+IC2widJcLDCxmmJt3TOlx5f\n"
+    "9OcKMkxuH4fMAzgjIEpIrUjdb19CGNVvsNrEEB2CShBMgBdqMaAnKFxpKgfzS0JF\n"
+    "ulxRGNtpsrweki+j+a4sJXTv40kELkRQS6uB6wWZNjcPywIDAQABMA0GCSqGSIb3\n"
+    "DQEBCwUAA4IBAQA86Fqrd4aiih6R3fwiMLwV6IQJv+u5rQeqA4D0xu6v6siP42SJ\n"
+    "YMaI2DkNGrWdSFVSHUK/efceCrhnMlW7VM8I1cyl2F/qKMfnT72cxqqquiKtQKdT\n"
+    "NDTzv61QMUP9n86HxMzGS7jg0Pknu55BsIRNK6ndDvI3D/K/rzZs4xbqWSSfNfQs\n"
+    "fNFBbOuDrkS6/1h3p8SY1uPM18WLVv3GO2T3aeNMHn7YJAKSn+sfaxzAPyPIK3UT\n"
+    "W8ecGQSHOqBJJQELyUfMu7lx/FCYKUhN7/1uhU5Qf1pCR8hkIMegtqr64yVBNMOn\n"
+    "248fuiHbs9BRknuA/PqjxIDDZTwtDrfVSO/S\n"
+    "-----END CERTIFICATE-----\n";
+
+const char *testutil_client_key =
+    "-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEowIBAAKCAQEArohAOr7gv5aNpTEviOPPBJ2fArUX2EajMEtU9tF8H/TTlcMB\n"
+    "oy+vYoyNe56jc7CWUfO0S54rg0XaQ7HTI5EWueSR9wrEVK4q+Zg6x1dwr4k5SxD5\n"
+    "NcStDXzUjiCi9ygZRxpOUz8jRhKZFENuCdLxSN7E2vuOIU9IR5FpatMlsD33rTOX\n"
+    "Pgyx7qNpBj63ZCzY3b09zWBAXc/sLd1mxjlNP/LbtVLrFeIT1j6Gv0UgzxIcEjQ3\n"
+    "vybV/EYK7THn7jLhudEa+7fC9jfzwozbuszfEje/U0h0/DF4coGyIQTfDh6Wmk3x\n"
+    "5YB2QaI/0jwn8cwracKGtNO+vLqV4yUWZxf5xwIDAQABAoIBADXIEJrJpPIEz6Me\n"
+    "0/oH0QwoEg7AhReFNNY18HmaNfiW9fhJPiDuGcpxa0uzp8SHntqkEWPX2qq6BLcl\n"
+    "fd2Q4QLpdz08GSHLBb0h9sLko/nDfF8wXMr/zx+/3rPpRK6KsbdiWM54P0NhicBf\n"
+    "wvHOCcIdu2WLbNHA35IGMgjUBeIXxAsje63RBS3Dd6RnASxF7bbC/GXiUouQnos1\n"
+    "VSLoR6fLQQYlrMOAJU3ruPvMRwkrgaHQ1jl3PL4ilZMuvt7LSAi/KUDKMLRHdLNe\n"
+    "tMPITE5CvQ/rBhiUHMsTn1Xb2/jmSuJieJtG2fEDmLFuYZMUFMg1XfQ+ZC9cDCGI\n"
+    "wiEYUbkCgYEA1NoKnHp7Zmc2AK1J78uYByEwr8z2nAYZNq5LFeKuCd4rky6v385x\n"
+    "IjIYhvPLiGXw/lDfF1T15lHHo2FDAQqDa2rbEe+ycDC7Qa3eJjcsN284n1RM2pl+\n"
+    "iNyyhS09YVadelBxWsMqnwdDlf5lrSa7DW1+/u/z2iAw8lGka8XpFpsCgYEA0emd\n"
+    "sYqNivonQFEqJxi2kGTBjX8HNEjeF9tTLuAAg0hjhbW4i1v3JsekW9thbG436THa\n"
+    "4zWUBmcaEwx0iTD1dqM+d+PbN/4vxoRx9kWQJicfR+sa6eJiwL5UmiqDdX4to5z9\n"
+    "MbahemNBzYybr7lcvw+RbL91Fr/z3GooDM9rxkUCgYAuF8mUeTGfy1n2a5BHTV9u\n"
+    "q9FPQKNmxitPnA7GfoARwvrMtJ+BZ8M4FIEbOFArCWhWqkylUNCvP6ZryvQnlY9A\n"
+    "A7PM/os1oFfssSoaPHhmyL8KQcciz3qHSMOf81wHaCpSAnmJnhnstjX8lUqPZIO9\n"
+    "NKj7rBqycaYn02Y3sHP5YQKBgQDQxOQNW5uCiWDYWuDtmWqZGVxW+euUWJRqbbvB\n"
+    "dw+LgkdZCG7OS1z3uL8CjKHMUaJRzz+/kd3ysEACifStLYAzyg+q9XdlrOyfJ8Kg\n"
+    "CHdhOq+lu3I9Aubsg19pJLcx95g0jUJUWysmqekcIagFkPlpHHaqDZDKW4aRxRKo\n"
+    "CvNJcQKBgA9DB8OzHA/gp8TztxUZu8hAVfehLxVORquFvMRF0cr8uxjbu/6sDhzc\n"
+    "TRUkXRUe4DGxxMzAd+1SF/IWlcuZlfcuZrytH1hbjmrN8H30y+yGXFsSGCI/rudk\n"
+    "rLXNS+vWEeuOV8lQuQY0fkokmxnmhkPDMXra5/3KrVMzm3ZNF5N8\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+const char *testutil_client_crt =
+    "-----BEGIN CERTIFICATE-----\n"
+    "MIIDdzCCAl8CFEzqJgxMn+OTdw7RjLtz8FlhrQ0HMA0GCSqGSIb3DQEBCwUAMHcx\n"
+    "CzAJBgNVBAYTAlhYMQ8wDQYDVQQIDAZVdG9waWExETAPBgNVBAcMCFBhcmFkaXNl\n"
+    "MRgwFgYDVQQKDA9OTkcgVGVzdHMsIEluYy4xFDASBgNVBAsMC0NsaWVudCBDZXJ0\n"
+    "MRQwEgYDVQQDDAtUZXN0IENsaWVudDAgFw0yMDA1MjMxODQ1MjZaGA8yMTIwMDQy\n"
+    "OTE4NDUyNlowdzELMAkGA1UEBhMCWFgxDzANBgNVBAgMBlV0b3BpYTERMA8GA1UE\n"
+    "BwwIUGFyYWRpc2UxGDAWBgNVBAoMD05ORyBUZXN0cywgSW5jLjEUMBIGA1UECwwL\n"
+    "Q2xpZW50IENlcnQxFDASBgNVBAMMC1Rlc3QgQ2xpZW50MIIBIjANBgkqhkiG9w0B\n"
+    "AQEFAAOCAQ8AMIIBCgKCAQEAoHWEJXvfaHDM33AyYbJHggKOllgcvwscEnsXztIt\n"
+    "OK+0jO6SRFSbtye1cjtrkGVCYBjeWMcOdEiNB0pw3PceVpF/Q9ifCuaSYsJA3sPH\n"
+    "wi/A3G7ZTe2KCH1i26I4zyw1Bn5AzkaDDXsaht2S9PEqIBCbWo/V1pWiv4QdYmLT\n"
+    "/UFYJDxFpFC3iKVC+BDv9yzziyaFXOYsQJXcaq8ZRD79bNV5NFfzUih8RoasIdD4\n"
+    "LoamBSbbr5XzstTISus+wu1JDKgKkYMJhLGA/tdU/eOKuTDx89yO4ba23W74xeqW\n"
+    "JYe0wPy+krmeB5M7UA7jIvg1JXhYACxujhieMp7wcC3FPwIDAQABMA0GCSqGSIb3\n"
+    "DQEBCwUAA4IBAQCMTQ89YnD19bCGIdUl/z6w2yx1x1kvTYHT+SzhUprsgiuS3KT1\n"
+    "RZNhjf5U3Yu+B6SrJCLuylv+L2zQfmHogp3lV7bayOA7r/rVy5fdmHS+Ei1w6LDL\n"
+    "t8jayiRMPG4VCgaG486yI73PFpK5DXnyFqSd23TlWvNoNeVag5gjlhzG+mHZBSB2\n"
+    "ExpGY3SPxrKSzDqIITVPVgzjW25N8qtgLXC6HODDiViNYq1nmuoS4O80NIYAPPs6\n"
+    "sxUMa5kT+zc17q57ZcgNq/sSGI3BU4b/E/8ntIwiui2xWSf/4JR6xtanih8uY5Pu\n"
+    "QTgg9qTtFgtu4WWUP7JhreoINTw6O4/g5Z18\n"
+    "-----END CERTIFICATE-----\n";
diff --git a/tests/testutil.h b/tests/testutil.h
index a297b603..15028106 100644
--- a/tests/testutil.h
+++ b/tests/testutil.h
@@ -56,6 +56,24 @@ extern int testutil_marry(nng_socket, nng_socket);
 extern int testutil_marry_ex(
     nng_socket, nng_socket, const char *, nng_pipe *, nng_pipe *);
 
+// testutil_stream_send_start and testutil_stream_recv_start are used
+// to initiate transfers asynchronously.  They return a token which can
+// be used with testutil_stream_send_wait and testutil_stream_recv_wait.
+// Those wait functions will return the result of operation (0 on
+// success, an NNG error number otherwise.)
+extern void *testutil_stream_send_start(nng_stream *, void *, size_t);
+extern void *testutil_stream_recv_start(nng_stream *, void *, size_t);
+extern int testutil_stream_send_wait(void *);
+extern int testutil_stream_recv_wait(void *);
+
+// These are TLS certificates.  The client and server are signed with the
+// root.  The server uses CN 127.0.0.1.  Other details are bogus, but
+// designed to prevent accidental use elsewhere.
+extern const char *testutil_server_key;
+extern const char *testutil_server_crt;
+extern const char *testutil_client_key;
+extern const char *testutil_client_crt;
+
 // TEST_NNG_PASS tests for NNG success.  It reports the failure if it
 // did not.
 #define TEST_NNG_PASS(cond)                                          \