Release v0.9.5

Bump version to 0.9.5 Update copyright year to 2024 Update NEWS
Fix e2e tests with openssl 3
75 changed files with 3975 additions and 2028 deletions
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 BSD 2-Clause License

-Copyright (c) 2017-2022, Soner Tari.
+Copyright (c) 2017-2024, Soner Tari.
 Copyright (c) 2009-2019, Daniel Roethlisberger and contributors.
 All rights reserved.

--- a/NEWS.md
+++ b/NEWS.md
@ -1,5 +1,26 @@


+### SSLproxy 0.9.5 2024-02-18
+
+-   Fix possible double free of host and serv variables, thanks to @disaykin
+-   Fix possible integer overflow, thanks to @disaykin
+-   Close fds only once, thanks to @disaykin
+-   Fix memory leak, thanks to @disaykin
+-   Handle ftell error, thanks to @disaykin
+-   Fix mismatched call arguments, thanks to @disaykin
+-   Fix memory leak in case of cert key mismatch, thanks to @disaykin
+-   Fix file descriptor leak, thanks to @disaykin
+-   Handle partial write, thanks to @disaykin
+-   Handle return value of gmtime(), thanks to @disaykin
+-   Fix double free bugs, thanks to @disaykin
+	- Bugs found by Svace static analyzer
+-   Fix possible segfault in proto smtp in split mode
+-   Fix retval of privsep_server_opensock_verify(), thanks to @Qbog
+-   Fix header-size calculation in IPv6 packet mirroring, thanks to @matoro
+-   Fix e2e tests with openssl 3
+-   Replace deprecated fail_unless() with ck_assert_msg() in unit tests
+
+
 ### SSLproxy 0.9.4 2022-12-26

 -   Fix byte order for ports in mirror trafic, thanks to piolug93.
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # SSLproxy - transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs for deep SSL inspection [![Build Status](https://travis-ci.com/sonertari/SSLproxy.svg?branch=master)](https://app.travis-ci.com/github/sonertari/SSLproxy)

-Copyright (C) 2017-2022, [Soner Tari](mailto:sonertari@gmail.com).
+Copyright (C) 2017-2024, [Soner Tari](mailto:sonertari@gmail.com).
 https://github.com/sonertari/SSLproxy

 Copyright (C) 2009-2019, [Daniel Roethlisberger](//daniel.roe.ch/).
--- a/src/dynbuf.c
+++ b/src/dynbuf.c
@ -93,6 +93,11 @@ dynbuf_new_file(const char *filename)
 	}
 	fseek(f, 0, SEEK_END);
 	db->sz = ftell(f);
+	if (db->sz == (size_t)-1) {
+		free(db);
+		fclose(f);
+		return NULL;
+	}
 	fseek(f, 0, SEEK_SET);
 	if (!(db->buf = malloc(db->sz))) {
 		free(db);
--- a/src/filter.c
+++ b/src/filter.c
@ -1,7 +1,7 @@
 /*-
 * SSLproxy
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/filter.h
+++ b/src/filter.h
@ -1,7 +1,7 @@
 /*-
 * SSLproxy
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/log.c
+++ b/src/log.c
@ -303,7 +303,9 @@ log_masterkey_writecb(UNUSED int level, UNUSED void *fh, UNUSED unsigned long ct
 static void
 log_masterkey_fini(void)
 {
-	close(masterkey_fd);
+	if (masterkey_fd != -1)
+		close(masterkey_fd);
+	masterkey_fd = -1;
 }

 /*
@ -367,7 +369,11 @@ log_connect_writecb(UNUSED int level, UNUSED void *fh, UNUSED unsigned long ctl,
 	size_t n;

 	time(&epoch);
-	utc = gmtime(&epoch);
+	if ((utc = gmtime(&epoch)) == NULL) {
+		log_err_level_printf(LOG_CRIT, "Failed to convert time: %s (%i)\n",
+		               strerror(errno), errno);
+		return -1;
+	}
 	n = strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S UTC ", utc);
 	if (n == 0) {
 		log_err_level_printf(LOG_CRIT, "Error from strftime(): buffer too small\n");
@ -385,7 +391,9 @@ log_connect_writecb(UNUSED int level, UNUSED void *fh, UNUSED unsigned long ctl,
 static void
 log_connect_fini(void)
 {
-	close(connect_fd);
+	if (connect_fd != -1)
+		close(connect_fd);
+	connect_fd = -1;
 }

 static int
@ -650,8 +658,11 @@ log_content_format_pathspec(const char *logspec,
 				struct tm *utc;

 				time(&epoch);
-				utc = gmtime(&epoch);
-				strftime(timebuf, sizeof(timebuf), iso8601, utc);
+				if ((utc = gmtime(&epoch)) == NULL) {
+					snprintf(timebuf, sizeof(timebuf), "gmtime error");
+				} else {
+					strftime(timebuf, sizeof(timebuf), iso8601, utc);
+				}

 				elem = timebuf;
 				elem_len = sizeof(timebuf);
@ -760,7 +771,6 @@ log_content_open(log_content_ctx_t *ctx, global_t *global,
 		dsthost_clean = sys_ip46str_sanitize(dsthost);
 		if (!dsthost_clean) {
 			log_err_level_printf(LOG_CRIT, "Failed to sanitize dsthost\n");
-			free(srchost_clean);
 			goto errout;
 		}
 	}
@ -1245,7 +1255,11 @@ log_content_file_single_prepcb(void *fh, unsigned long prepflags,
 	}
 	lb = head;
 	time(&epoch);
-	utc = gmtime(&epoch);
+	if ((utc = gmtime(&epoch)) == NULL) {
+		log_err_level_printf(LOG_CRIT, "Failed to convert time\n");
+		logbuf_free(lb);
+		return NULL;
+	}
 	lb->sz = strftime((char*)lb->buf, lb->sz, "%Y-%m-%d %H:%M:%S UTC ",
 	                  utc);

@ -1551,10 +1565,8 @@ log_cert_submit(const char *fn, X509 *crt)
 	if (!(pem = ssl_x509_to_pem(crt)))
 		goto errout2;
 	if (!(lb = logbuf_new(0, pem, strlen(pem), NULL)))
-		goto errout3;
+		goto errout2;
 	return logger_submit(cert_log, fh, 0, lb);
-errout3:
-	free(pem);
 errout2:
 	free(fh);
 errout1:
--- a/src/logger.c
+++ b/src/logger.c
@ -210,11 +210,14 @@ logger_thread(void *arg)
 		if (logbuf_ctl_isset(lb, LBFLAG_REOPEN)) {
 			if (logger->reopen() != 0)
 				e = 1;
+			logbuf_free(lb);
 		} else if (logbuf_ctl_isset(lb, LBFLAG_OPEN)) {
 			if (logger->open(lb->fh) != 0)
 				e = 1;
+			logbuf_free(lb);
 		} else if (logbuf_ctl_isset(lb, LBFLAG_CLOSE)) {
 			logger->close(lb->fh, lb->ctl);
+			logbuf_free(lb);
 		} else {
 			if (logbuf_write_free(lb, logger->write) < 0)
 				e = 1;
@ -303,7 +306,6 @@ logger_printf(logger_t *logger, void *fh, unsigned long prepflags,

 	if (!(lb = logbuf_new(0, NULL, 0, NULL)))
 		return -1;
-	lb->fh = fh;
 	va_start(ap, fmt);
 	lb->sz = vasprintf((char**)&lb->buf, fmt, ap);
 	va_end(ap);
@ -321,7 +323,6 @@ logger_write(logger_t *logger, void *fh, unsigned long prepflags,

 	if (!(lb = logbuf_new_copy(buf, sz, NULL)))
 		return -1;
-	lb->fh = fh;
 	return logger_submit(logger, fh, prepflags, lb);
 }
 int
@ -332,7 +333,6 @@ logger_print(logger_t *logger, void *fh, unsigned long prepflags,

 	if (!(lb = logbuf_new_copy(s, strlen(s), NULL)))
 		return -1;
-	lb->fh = fh;
 	return logger_submit(logger, fh, prepflags, lb);
 }
 int
@ -343,19 +343,13 @@ logger_write_freebuf(logger_t *logger, int level, void *fh, unsigned long prepfl

 	if (!(lb = logbuf_new(level, buf, sz, NULL)))
 		return -1;
-	lb->fh = fh;
 	return logger_submit(logger, fh, prepflags, lb);
 }
 int
 logger_print_freebuf(logger_t *logger, void *fh, unsigned long prepflags,
                     char *s)
 {
-	logbuf_t *lb;
-
-	if (!(lb = logbuf_new(0, s, strlen(s), NULL)))
-		return -1;
-	lb->fh = fh;
-	return logger_submit(logger, fh, prepflags, lb);
+	return logger_write_freebuf(logger, 0, fh, prepflags, s, strlen(s));
 }

 /* vim: set noet ft=c: */
--- a/src/logpkt.c
+++ b/src/logpkt.c
@ -184,6 +184,22 @@ typedef struct __attribute__((packed)) {
 #define CSIN(X)         ((const struct sockaddr_in *)(X))
 #define CSIN6(X)        ((const struct sockaddr_in6 *)(X))

+static int
+logpkt_write_all(int fd, const void *data, size_t sz)
+{
+	const char *ptr = data;
+	while (sz > 0) {
+		ssize_t w = write(fd, ptr, sz);
+		if (w == -1 && errno == EINTR)
+			continue;
+		if (w == -1)
+			return -1;
+		ptr += w;
+		sz -= w;
+	}
+	return 0;
+}
+
 /*
 * Write the PCAP file-level header to file descriptor *fd* open for writing,
 * positioned at the beginning of an empty file.
@ -201,7 +217,7 @@ logpkt_write_global_pcap_hdr(int fd)
 	hdr.version_minor = 4;
 	hdr.snaplen = MAX_PKTSZ;
 	hdr.network = 1;
-	return write(fd, &hdr, sizeof(hdr)) != sizeof(hdr) ? -1 : 0;
+	return logpkt_write_all(fd, &hdr, sizeof(hdr));
 }

 /*
@ -289,12 +305,12 @@ logpkt_pcap_write(const uint8_t *pkt, size_t pktsz, int fd)
 	rec_hdr.ts_usec = tv.tv_usec;
 	rec_hdr.orig_len = rec_hdr.incl_len = pktsz;

-	if (write(fd, &rec_hdr, sizeof(rec_hdr)) != sizeof(rec_hdr)) {
+	if (logpkt_write_all(fd, &rec_hdr, sizeof(rec_hdr)) == -1) {
 		log_err_printf("Error writing pcap record hdr: %s\n",
 		               strerror(errno));
 		return -1;
 	}
-	if (write(fd, pkt, pktsz) != (ssize_t)pktsz) {
+	if (logpkt_write_all(fd, pkt, pktsz) == -1) {
 		log_err_printf("Error writing pcap record: %s\n",
 		               strerror(errno));
 		return -1;
@ -386,7 +402,7 @@ logpkt_pcap_build(uint8_t *pkt,
 		                 sizeof(ip6_hdr->src_addr));
 		CHKSUM_ADD_RANGE(sum, ip6_hdr->dst_addr,
 		                 sizeof(ip6_hdr->dst_addr));
-		CHKSUM_ADD_UINT32(sum, ip6_hdr->len);
+		CHKSUM_ADD_UINT32(sum, (uint32_t)ip6_hdr->len);
 		CHKSUM_ADD_UINT16(sum, htons(IPPROTO_TCP));
 	}
 	tcp_hdr->seq = htonl(seq);
@ -456,8 +472,7 @@ logpkt_mirror_build(libnet_t *libnet,
 	} else {
 		ptag = libnet_build_ipv6(0,             /* traffic class */
 		                         0,             /* flow label */
-		                         LIBNET_IPV6_H + LIBNET_TCP_H +
-		                         payloadlen,
+		                         LIBNET_TCP_H + payloadlen,
 		                         IPPROTO_TCP,
 		                         255,           /* hop limit */
 		                         *(struct libnet_in6_addr *)
@ -544,7 +559,7 @@ logpkt_write_packet(logpkt_ctx_t *ctx, int fd, int direction, char flags,
 			                         payload, payloadlen);
 		} else {
 			rv = logpkt_mirror_build(ctx->libnet,
-			                         ctx->src_ether, ctx->dst_ether,
+			                         ctx->dst_ether, ctx->src_ether,
 			                         CSA(&ctx->dst_addr),
 			                         CSA(&ctx->src_addr),
 			                         flags,
--- a/src/main.c
+++ b/src/main.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -99,7 +99,7 @@ main_version(void)
 		fprintf(stderr, "---------------------------------------"
 		                "---------------------------------------\n");
 	}
-	fprintf(stderr, "Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>\n");
+	fprintf(stderr, "Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>\n");
 	fprintf(stderr, "https://github.com/sonertari/SSLproxy\n");
 	fprintf(stderr, "Copyright (c) 2009-2019, "
 	                "Daniel Roethlisberger <daniel@roe.ch>\n");
--- a/src/opts.c
+++ b/src/opts.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -109,6 +109,7 @@ opts_load_cert_chain_key(const char *filename)
 		log_err_level_printf(LOG_CRIT, "Cert does not match key in PEM file "
 		                "'%s':\n", filename);
 		ERR_print_errors_fp(stderr);
+		cert_free(cert);
 		return NULL;
 	}

--- a/src/opts.h
+++ b/src/opts.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/privsep.c
+++ b/src/privsep.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -232,6 +232,7 @@ privsep_server_openfile(const char *fn, int mkpath)
 		log_err_level_printf(LOG_CRIT, "Failed to seek on '%s': %s (%i)\n",
 		               fn, strerror(errno), errno);
 		errno = tmp;
+		close(fd);
 		return -1;
 	}
 	return fd;
@ -246,7 +247,7 @@ privsep_server_opensock_verify(global_t *global, void *arg)
 		if (spec == arg)
 			return 0;
 	}
-	return 1;
+	return -1;
 }

 static int WUNRES
--- a/src/protoautossl.c
+++ b/src/protoautossl.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protoautossl.h
+++ b/src/protoautossl.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protohttp.c
+++ b/src/protohttp.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -152,7 +152,6 @@ protohttp_log_connect(pxy_conn_ctx_t *ctx)
 	}
 	if (ctx->global->connectlog) {
 		if (log_connect_print_free(msg) == -1) {
-			free(msg);
 			log_err_level_printf(LOG_WARNING, "Connection logging failed\n");
 		}
 	} else {
--- a/src/protohttp.h
+++ b/src/protohttp.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protopassthrough.c
+++ b/src/protopassthrough.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protopassthrough.h
+++ b/src/protopassthrough.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protopop3.c
+++ b/src/protopop3.c
@ -1,7 +1,7 @@
 /*-
 * SSLproxy - transparent SSL/TLS proxy
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protopop3.h
+++ b/src/protopop3.h
@ -1,7 +1,7 @@
 /*-
 * SSLproxy - transparent SSL/TLS proxy
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protosmtp.c
+++ b/src/protosmtp.c
@ -1,7 +1,7 @@
 /*-
 * SSLproxy - transparent SSL/TLS proxy
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -222,7 +222,11 @@ protosmtp_bev_eventcb_connected_dst(struct bufferevent *bev, pxy_conn_ctx_t *ctx

 	ctx->connected = 1;
 	bufferevent_enable(bev, EV_READ|EV_WRITE);
-	bufferevent_enable(ctx->srvdst.bev, EV_READ);
+
+	// srvdst is disabled in split mode, see prototcp_setup_dst()
+	if (ctx->srvdst.bev) {
+		bufferevent_enable(ctx->srvdst.bev, EV_READ);
+	}

 	if (ctx->proto == PROTO_SMTP) {
 		prototcp_enable_src(ctx);
--- a/src/protosmtp.h
+++ b/src/protosmtp.h
@ -1,7 +1,7 @@
 /*-
 * SSLproxy - transparent SSL/TLS proxy
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protossl.c
+++ b/src/protossl.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/protossl.h
+++ b/src/protossl.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/prototcp.c
+++ b/src/prototcp.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/prototcp.h
+++ b/src/prototcp.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/pxyconn.c
+++ b/src/pxyconn.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -529,7 +529,6 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx)
 	}
 	if (ctx->global->connectlog) {
 		if (log_connect_print_free(msg) == -1) {
-			free(msg);
 			log_err_level_printf(LOG_WARNING, "Connection logging failed\n");
 		}
 	} else {
--- a/src/pxyconn.h
+++ b/src/pxyconn.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/pxythr.c
+++ b/src/pxythr.c
@ -2,7 +2,7 @@
 * SSLsplit - transparent SSL/TLS interception
 * https://www.roe.ch/SSLsplit
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/pxythr.h
+++ b/src/pxythr.h
@ -2,7 +2,7 @@
 * SSLsplit - transparent SSL/TLS interception
 * https://www.roe.ch/SSLsplit
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/pxythrmgr.c
+++ b/src/pxythrmgr.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/pxythrmgr.h
+++ b/src/pxythrmgr.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/src/ssl.c
+++ b/src/ssl.c
@ -1979,6 +1979,16 @@ ssl_is_ocspreq(const unsigned char *buf, size_t sz)
 	return 1;
 }

+static uint16_t
+len2(uint8_t p0, uint8_t p1) {
+	return (uint16_t)p1 + ((uint16_t)p0 << 8);
+}
+
+static uint32_t
+len3(uint8_t p0, uint8_t p1, uint8_t p2) {
+	return (uint32_t)p2 + ((uint32_t)p1 << 8) + ((uint32_t)p0 << 16);
+}
+
 /*
 * Ugly hack to manually parse a clientHello message from a memory buffer.
 * This is needed in order to be able to support SNI and STARTTLS.
@ -2037,13 +2047,13 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 #endif /* !DEBUG_CLIENTHELLO_PARSER */
 	const unsigned char *p = buf;
 	ssize_t n = sz;
-	char *sn = NULL;

 	*clienthello = NULL;

 	DBG_printf("parsing buffer of sz %zd\n", sz);

 	do {
+		char *sn = NULL;
 		if (*clienthello) {
 			/*
 			 * Rewind after skipping an invalid ClientHello by
@ -2052,10 +2062,6 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 			 */
 			p = (*clienthello) + 1;
 			n = sz - (p - buf);
-			if (sn) {
-				free(sn);
-				sn = NULL;
-			}
 		}

 		if (search) {
@ -2114,15 +2120,15 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 			p += 2; n -= 2;

 			DBG_printf("cipher-spec-len: %02x %02x\n", p[0], p[1]);
-			ssize_t cipherspec_len = p[0] << 8 | p[1];
+			ssize_t cipherspec_len = len2(p[0], p[1]);
 			p += 2; n -= 2;

 			DBG_printf("session-id-len: %02x %02x\n", p[0], p[1]);
-			ssize_t sessionid_len = p[0] << 8 | p[1];
+			ssize_t sessionid_len = len2(p[0], p[1]);
 			p += 2; n -= 2;

 			DBG_printf("challenge-len: %02x %02x\n", p[0], p[1]);
-			ssize_t challenge_len = p[0] << 8 | p[1];
+			ssize_t challenge_len = len2(p[0], p[1]);
 			p += 2; n -= 2;
 			if (challenge_len < 16 || challenge_len > 32)
 				continue;
@ -2165,7 +2171,7 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 			return 1;
 		}
 		DBG_printf("length: %02x %02x\n", p[0], p[1]);
-		ssize_t recordlen = p[1] + (p[0] << 8);
+		ssize_t recordlen = len2(p[0], p[1]);
 		DBG_printf("recordlen=%zd\n", recordlen);
 		p += 2; n -= 2;
 		if (recordlen < 36) /* arbitrary size too small for a c-h */
@ -2190,7 +2196,8 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 		if (n < 3)
 			continue;
 		DBG_printf("message len: %02x %02x %02x\n", p[0], p[1], p[2]);
-		ssize_t msglen = p[2] + (p[1] << 8) + (p[0] << 16);
+
+		ssize_t msglen = len3(p[0], p[1], p[2]);
 		DBG_printf("msglen=%zd\n", msglen);
 		p += 3; n -= 3;
 		if (msglen < 32) /* arbitrary size too small for a c-h */
@ -2232,7 +2239,8 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 			continue;
 		DBG_printf("clienthello cipher suites length %02x %02x\n",
 		           p[0], p[1]);
-		ssize_t suiteslen = p[1] + (p[0] << 8);
+
+		ssize_t suiteslen = len2(p[0], p[1]);
 		p += 2; n -= 2;
 		if (n < suiteslen)
 			continue;
@ -2261,7 +2269,7 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 		if (n < 2)
 			continue;
 		DBG_printf("tlsexts length %02x %02x\n", p[0], p[1]);
-		ssize_t tlsextslen = p[1] + (p[0] << 8);
+		ssize_t tlsextslen = len2(p[0], p[1]);
 		DBG_printf("tlsextslen %zd\n", tlsextslen);
 		p += 2; n -= 2;
 		if (n < tlsextslen)
@ -2273,8 +2281,8 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 				goto continue_search;
 			DBG_printf("tlsext type %02x %02x len %02x %02x\n",
 			           p[0], p[1], p[2], p[3]);
-			unsigned short exttype = p[1] + (p[0] << 8);
-			ssize_t extlen = p[3] + (p[2] << 8);
+			unsigned short exttype = len2(p[0], p[1]);
+			ssize_t extlen = len2(p[2], p[3]);
 			p += 4; n -= 4;
 			if (n < extlen)
 				goto continue_search;
@ -2287,7 +2295,7 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 					goto continue_search;
 				DBG_printf("list length %02x %02x\n",
 				           extp[0], extp[1]);
-				ssize_t namelistlen = extp[1] + (extp[0] << 8);
+				ssize_t namelistlen = len2(extp[0], extp[1]);
 				DBG_printf("namelistlen = %zd\n", namelistlen);
 				extp += 2;
 				extn -= 2;
@ -2302,7 +2310,7 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 					           " len %02x %02x\n",
 					           extp[0], extp[1], extp[2]);
 					unsigned char sntype = extp[0];
-					ssize_t snlen = extp[2] + (extp[1]<<8);
+					ssize_t snlen = len2(extp[1], extp[2]);
 					extp += 3;
 					extn -= 3;
 					if (snlen > extn)
@ -2353,16 +2361,13 @@ done_parsing:
 			*servername = sn;
 		return 0;
 continue_search:
-		;
+		if (sn)
+			free(sn);
 	} while (search && n > 0);

 	/* No valid ClientHello messages found, not even a truncated one */
 	DBG_printf("===> No match: rv 1, *clienthello NULL\n");
 	*clienthello = NULL;
-	if (sn) {
-		free(sn);
-		sn = NULL;
-	}
 	return 1;
 }

--- a/src/sslproxy.1
+++ b/src/sslproxy.1
@ -4,7 +4,7 @@
 .\" https://github.com/sonertari/SSLproxy
 .\"
 .\" Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
-.\" Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+.\" Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "sslproxy" "1" "26 Dec 2022" "v0.9.4" "SSLproxy"
+.TH "sslproxy" "1" "18 Feb 2024" "v0.9.5" "SSLproxy"
 .SH NAME
 sslproxy \-\- transparent SSL/TLS proxy for decrypting and diverting network 
 traffic to other programs for deep SSL inspection
--- a/src/sslproxy.conf
+++ b/src/sslproxy.conf
@ -1,4 +1,4 @@
-# Sample configuration for sslproxy v0.9.4
+# Sample configuration for sslproxy v0.9.5
 #
 # Use the -f command line option to start sslproxy with a config file.
 # See sslproxy.conf(5) and sslproxy(1) for documentation.
--- a/src/sslproxy.conf.5
+++ b/src/sslproxy.conf.5
@ -3,7 +3,7 @@
 .\" https://github.com/sonertari/SSLproxy
 .\"
 .\" Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
-.\" Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+.\" Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -26,7 +26,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "sslproxy.conf" "5" "26 Dec 2022" "v0.9.4" "SSLproxy"
+.TH "sslproxy.conf" "5" "18 Feb 2024" "v0.9.5" "SSLproxy"
 .SH "NAME"
 .LP 
 \fBsslproxy.conf\fR \- Configuration file for SSLproxy
--- a/src/sys.c
+++ b/src/sys.c
@ -486,6 +486,7 @@ sys_sockaddr_str(struct sockaddr *addr, socklen_t addrlen,
 		log_err_level_printf(LOG_CRIT, "Cannot get nameinfo for socket address: %s\n",
 		               gai_strerror(rv));
 		free(*serv);
+		*serv = NULL;
 		return -1;
 	}
 	hostsz = strlen(tmphost) + 1; /* including terminator */
@ -493,6 +494,7 @@ sys_sockaddr_str(struct sockaddr *addr, socklen_t addrlen,
 	if (!*host) {
 		log_err_level_printf(LOG_CRIT, "Cannot allocate memory\n");
 		free(*serv);
+		*serv = NULL;
 		return -1;
 	}
 	memcpy(*host, tmphost, hostsz);
--- a/tests/check/base64.t.c
+++ b/tests/check/base64.t.c
@ -61,9 +61,9 @@ START_TEST(base64_enc_01)
 	size_t sz;

 	buf = base64_enc((unsigned char *)plain01, strlen(plain01), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(coded01), "wrong length");
-	fail_unless(!memcmp(coded01, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(coded01), "wrong length");
+	ck_assert_msg(!memcmp(coded01, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -74,9 +74,9 @@ START_TEST(base64_enc_02)
 	size_t sz;

 	buf = base64_enc((unsigned char *)plain02, strlen(plain02), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(coded02), "wrong length");
-	fail_unless(!memcmp(coded02, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(coded02), "wrong length");
+	ck_assert_msg(!memcmp(coded02, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -87,9 +87,9 @@ START_TEST(base64_enc_03)
 	size_t sz;

 	buf = base64_enc((unsigned char *)plain03, strlen(plain03), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(coded03), "wrong length");
-	fail_unless(!memcmp(coded03, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(coded03), "wrong length");
+	ck_assert_msg(!memcmp(coded03, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -100,9 +100,9 @@ START_TEST(base64_enc_04)
 	size_t sz;

 	buf = base64_enc((unsigned char *)plain04, strlen(plain04), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(coded04), "wrong length");
-	fail_unless(!memcmp(coded04, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(coded04), "wrong length");
+	ck_assert_msg(!memcmp(coded04, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -113,9 +113,9 @@ START_TEST(base64_enc_05)
 	size_t sz;

 	buf = base64_enc((unsigned char *)plain05, strlen(plain05), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(coded05), "wrong length");
-	fail_unless(!memcmp(coded05, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(coded05), "wrong length");
+	ck_assert_msg(!memcmp(coded05, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -126,9 +126,9 @@ START_TEST(base64_enc_06)
 	size_t sz;

 	buf = base64_enc((unsigned char *)"", 0, &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(!sz, "length not 0");
-	fail_unless(!buf[0], "not empty string");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(!sz, "length not 0");
+	ck_assert_msg(!buf[0], "not empty string");
 	free(buf);
 }
 END_TEST
@ -139,9 +139,9 @@ START_TEST(base64_dec_01)
 	size_t sz;

 	buf = base64_dec(coded01, strlen(coded01), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(plain01), "wrong length");
-	fail_unless(!memcmp(plain01, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(plain01), "wrong length");
+	ck_assert_msg(!memcmp(plain01, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -152,9 +152,9 @@ START_TEST(base64_dec_02)
 	size_t sz;

 	buf = base64_dec(coded02, strlen(coded02), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(plain02), "wrong length");
-	fail_unless(!memcmp(plain02, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(plain02), "wrong length");
+	ck_assert_msg(!memcmp(plain02, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -165,9 +165,9 @@ START_TEST(base64_dec_03)
 	size_t sz;

 	buf = base64_dec(coded03, strlen(coded03), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(plain03), "wrong length");
-	fail_unless(!memcmp(plain03, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(plain03), "wrong length");
+	ck_assert_msg(!memcmp(plain03, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -178,9 +178,9 @@ START_TEST(base64_dec_04)
 	size_t sz;

 	buf = base64_dec(coded04, strlen(coded04), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(plain04), "wrong length");
-	fail_unless(!memcmp(plain04, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(plain04), "wrong length");
+	ck_assert_msg(!memcmp(plain04, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -191,9 +191,9 @@ START_TEST(base64_dec_05)
 	size_t sz;

 	buf = base64_dec(coded05, strlen(coded05), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(plain05), "wrong length");
-	fail_unless(!memcmp(plain05, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(plain05), "wrong length");
+	ck_assert_msg(!memcmp(plain05, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -204,7 +204,7 @@ START_TEST(base64_dec_06)
 	size_t sz;

 	buf = base64_dec(coded06, strlen(coded06), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -214,7 +214,7 @@ START_TEST(base64_dec_07)
 	size_t sz;

 	buf = base64_dec(coded07, strlen(coded07), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -224,7 +224,7 @@ START_TEST(base64_dec_08)
 	size_t sz;

 	buf = base64_dec(coded08, strlen(coded08), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -234,7 +234,7 @@ START_TEST(base64_dec_09)
 	size_t sz;

 	buf = base64_dec(coded09, strlen(coded09), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -244,7 +244,7 @@ START_TEST(base64_dec_10)
 	size_t sz;

 	buf = base64_dec(coded10, strlen(coded10), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -254,7 +254,7 @@ START_TEST(base64_dec_11)
 	size_t sz;

 	buf = base64_dec(coded11, strlen(coded11), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -264,7 +264,7 @@ START_TEST(base64_dec_12)
 	size_t sz;

 	buf = base64_dec(coded12, strlen(coded12), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -274,7 +274,7 @@ START_TEST(base64_dec_13)
 	size_t sz;

 	buf = base64_dec(coded13, strlen(coded13), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -284,7 +284,7 @@ START_TEST(base64_dec_14)
 	size_t sz;

 	buf = base64_dec(coded14, strlen(coded14), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -294,7 +294,7 @@ START_TEST(base64_dec_15)
 	size_t sz;

 	buf = base64_dec(coded15, strlen(coded15), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -304,9 +304,9 @@ START_TEST(base64_dec_16)
 	size_t sz;

 	buf = base64_dec("", 0, &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(!sz, "length not 0");
-	fail_unless(!buf[0], "not empty string");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(!sz, "length not 0");
+	ck_assert_msg(!buf[0], "not empty string");
 	free(buf);
 }
 END_TEST
--- a/tests/check/cachedsess.t.c
+++ b/tests/check/cachedsess.t.c
@ -86,13 +86,13 @@ START_TEST(cache_dsess_01)
 	SSL_SESSION *s1, *s2;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

 	cachemgr_dsess_set((struct sockaddr*)&addr, addrlen, sni, s1);
 	s2 = cachemgr_dsess_get((struct sockaddr*)&addr, addrlen, sni);
-	fail_unless(!!s2, "cache returned no session");
-	fail_unless(s2 != s1, "cache returned same pointer");
+	ck_assert_msg(!!s2, "cache returned no session");
+	ck_assert_msg(s2 != s1, "cache returned same pointer");
 	SSL_SESSION_free(s1);
 	SSL_SESSION_free(s2);
 }
@ -103,11 +103,11 @@ START_TEST(cache_dsess_02)
 	SSL_SESSION *s1, *s2;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

 	s2 = cachemgr_dsess_get((struct sockaddr*)&addr, addrlen, sni);
-	fail_unless(s2 == NULL, "session was already in empty cache");
+	ck_assert_msg(s2 == NULL, "session was already in empty cache");
 	SSL_SESSION_free(s1);
 }
 END_TEST
@ -117,13 +117,13 @@ START_TEST(cache_dsess_03)
 	SSL_SESSION *s1, *s2;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

 	cachemgr_dsess_set((struct sockaddr*)&addr, addrlen, sni, s1);
 	cachemgr_dsess_del((struct sockaddr*)&addr, addrlen, sni);
 	s2 = cachemgr_dsess_get((struct sockaddr*)&addr, addrlen, sni);
-	fail_unless(s2 == NULL, "cache returned deleted session");
+	ck_assert_msg(s2 == NULL, "cache returned deleted session");
 	SSL_SESSION_free(s1);
 }
 END_TEST
@ -134,22 +134,22 @@ START_TEST(cache_dsess_04)
 	SSL_SESSION *s1, *s2;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	cachemgr_dsess_set((struct sockaddr*)&addr, addrlen, sni, s1);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	s2 = cachemgr_dsess_get((struct sockaddr*)&addr, addrlen, sni);
-	fail_unless(s1->references == 1, "refcount != 1");
-	fail_unless(!!s2, "cache returned no session");
-	fail_unless(s2->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
+	ck_assert_msg(!!s2, "cache returned no session");
+	ck_assert_msg(s2->references == 1, "refcount != 1");
 	cachemgr_dsess_set((struct sockaddr*)&addr, addrlen, sni, s1);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	cachemgr_dsess_del((struct sockaddr*)&addr, addrlen, sni);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	cachemgr_dsess_set((struct sockaddr*)&addr, addrlen, sni, s1);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	SSL_SESSION_free(s1);
 	SSL_SESSION_free(s2);
 }
--- a/tests/check/cachefkcrt.t.c
+++ b/tests/check/cachefkcrt.t.c
@ -55,11 +55,11 @@ START_TEST(cache_fkcrt_01)
 	X509 *c1, *c2;

 	c1 = ssl_x509_load(TESTCERT);
-	fail_unless(!!c1, "loading certificate failed");
+	ck_assert_msg(!!c1, "loading certificate failed");
 	cachemgr_fkcrt_set(c1, c1);
 	c2 = cachemgr_fkcrt_get(c1);
-	fail_unless(!!c2, "cache did not return a certificate");
-	fail_unless(c2 == c1, "cache did not return same pointer");
+	ck_assert_msg(!!c2, "cache did not return a certificate");
+	ck_assert_msg(c2 == c1, "cache did not return same pointer");
 	X509_free(c1);
 	X509_free(c2);
 }
@ -70,9 +70,9 @@ START_TEST(cache_fkcrt_02)
 	X509 *c1, *c2;

 	c1 = ssl_x509_load(TESTCERT);
-	fail_unless(!!c1, "loading certificate failed");
+	ck_assert_msg(!!c1, "loading certificate failed");
 	c2 = cachemgr_fkcrt_get(c1);
-	fail_unless(c2 == NULL, "certificate was already in empty cache");
+	ck_assert_msg(c2 == NULL, "certificate was already in empty cache");
 	X509_free(c1);
 }
 END_TEST
@ -82,11 +82,11 @@ START_TEST(cache_fkcrt_03)
 	X509 *c1, *c2;

 	c1 = ssl_x509_load(TESTCERT);
-	fail_unless(!!c1, "loading certificate failed");
+	ck_assert_msg(!!c1, "loading certificate failed");
 	cachemgr_fkcrt_set(c1, c1);
 	cachemgr_fkcrt_del(c1);
 	c2 = cachemgr_fkcrt_get(c1);
-	fail_unless(c2 == NULL, "cache returned deleted certificate");
+	ck_assert_msg(c2 == NULL, "cache returned deleted certificate");
 	X509_free(c1);
 }
 END_TEST
@ -97,28 +97,28 @@ START_TEST(cache_fkcrt_04)
 	X509 *c1, *c2;

 	c1 = ssl_x509_load(TESTCERT);
-	fail_unless(!!c1, "loading certificate failed");
-	fail_unless(c1->references == 1, "refcount != 1");
+	ck_assert_msg(!!c1, "loading certificate failed");
+	ck_assert_msg(c1->references == 1, "refcount != 1");
 	cachemgr_fkcrt_set(c1, c1);
-	fail_unless(c1->references == 2, "refcount != 2");
+	ck_assert_msg(c1->references == 2, "refcount != 2");
 	c2 = cachemgr_fkcrt_get(c1);
-	fail_unless(c1->references == 3, "refcount != 3");
+	ck_assert_msg(c1->references == 3, "refcount != 3");
 	cachemgr_fkcrt_set(c1, c1);
-	fail_unless(c1->references == 3, "refcount != 3");
+	ck_assert_msg(c1->references == 3, "refcount != 3");
 	cachemgr_fkcrt_del(c1);
-	fail_unless(c1->references == 2, "refcount != 2");
+	ck_assert_msg(c1->references == 2, "refcount != 2");
 	cachemgr_fkcrt_set(c1, c1);
-	fail_unless(c1->references == 3, "refcount != 3");
+	ck_assert_msg(c1->references == 3, "refcount != 3");
 	X509_free(c1);
-	fail_unless(c1->references == 2, "refcount != 2");
+	ck_assert_msg(c1->references == 2, "refcount != 2");
 	cachemgr_fini();
-	fail_unless(c1->references == 1, "refcount != 1");
+	ck_assert_msg(c1->references == 1, "refcount != 1");
 	X509_free(c2);
 #if 0
 	/* deliberate access of free'd X509* */
-	fail_unless(c1->references == 0, "refcount != 0");
+	ck_assert_msg(c1->references == 0, "refcount != 0");
 #endif
-	fail_unless(cachemgr_preinit() != -1, "reinit");
+	ck_assert_msg(cachemgr_preinit() != -1, "reinit");
 }
 END_TEST
 #endif
--- a/tests/check/cachemgr.t.c
+++ b/tests/check/cachemgr.t.c
@ -36,7 +36,7 @@

 START_TEST(cache_types_01)
 {
-	fail_unless(sizeof(cache_iter_t) == sizeof(khiter_t),
+	ck_assert_msg(sizeof(cache_iter_t) == sizeof(khiter_t),
 	            "type mismatch: cache_iter_t != khiter_t");
 }
 END_TEST
--- a/tests/check/cachessess.t.c
+++ b/tests/check/cachessess.t.c
@ -81,14 +81,14 @@ START_TEST(cache_ssess_01)
 	unsigned int len;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

 	cachemgr_ssess_set(s1);
 	session_id = SSL_SESSION_get_id(s1, &len);
 	s2 = cachemgr_ssess_get(session_id, len);
-	fail_unless(!!s2, "cache returned no session");
-	fail_unless(s2 != s1, "cache returned same pointer");
+	ck_assert_msg(!!s2, "cache returned no session");
+	ck_assert_msg(s2 != s1, "cache returned same pointer");
 	SSL_SESSION_free(s1);
 	SSL_SESSION_free(s2);
 }
@ -101,12 +101,12 @@ START_TEST(cache_ssess_02)
 	unsigned int len;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

 	session_id = SSL_SESSION_get_id(s1, &len);
 	s2 = cachemgr_ssess_get(session_id, len);
-	fail_unless(s2 == NULL, "session was already in empty cache");
+	ck_assert_msg(s2 == NULL, "session was already in empty cache");
 	SSL_SESSION_free(s1);
 }
 END_TEST
@ -118,14 +118,14 @@ START_TEST(cache_ssess_03)
 	unsigned int len;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

 	cachemgr_ssess_set(s1);
 	cachemgr_ssess_del(s1);
 	session_id = SSL_SESSION_get_id(s1, &len);
 	s2 = cachemgr_ssess_get(session_id, len);
-	fail_unless(s2 == NULL, "cache returned deleted session");
+	ck_assert_msg(s2 == NULL, "cache returned deleted session");
 	SSL_SESSION_free(s1);
 }
 END_TEST
@ -138,23 +138,23 @@ START_TEST(cache_ssess_04)
 	unsigned int len;

 	s1 = ssl_session_from_file(TMP_SESS_FILE);
-	fail_unless(!!s1, "creating session failed");
-	fail_unless(ssl_session_is_valid(s1), "session invalid");
+	ck_assert_msg(!!s1, "creating session failed");
+	ck_assert_msg(ssl_session_is_valid(s1), "session invalid");

-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	cachemgr_ssess_set(s1);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	session_id = SSL_SESSION_get_id(s1, &len);
 	s2 = cachemgr_ssess_get(session_id, len);
-	fail_unless(s1->references == 1, "refcount != 1");
-	fail_unless(!!s2, "cache returned no session");
-	fail_unless(s2->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
+	ck_assert_msg(!!s2, "cache returned no session");
+	ck_assert_msg(s2->references == 1, "refcount != 1");
 	cachemgr_ssess_set(s1);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	cachemgr_ssess_del(s1);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	cachemgr_ssess_set(s1);
-	fail_unless(s1->references == 1, "refcount != 1");
+	ck_assert_msg(s1->references == 1, "refcount != 1");
 	SSL_SESSION_free(s1);
 	SSL_SESSION_free(s2);
 }
--- a/tests/check/cachetgcrt.t.c
+++ b/tests/check/cachetgcrt.t.c
@ -56,11 +56,11 @@ START_TEST(cache_tgcrt_01)
 	cert_t *c1, *c2;

 	c1 = cert_new_load(TESTCERT);
-	fail_unless(!!c1, "loading certificate failed");
+	ck_assert_msg(!!c1, "loading certificate failed");
 	cachemgr_tgcrt_set("daniel.roe.ch", c1);
 	c2 = cachemgr_tgcrt_get("daniel.roe.ch");
-	fail_unless(!!c2, "cache did not return a certificate");
-	fail_unless(c2 == c1, "cache did not return same pointer");
+	ck_assert_msg(!!c2, "cache did not return a certificate");
+	ck_assert_msg(c2 == c1, "cache did not return same pointer");
 	cert_free(c1);
 	cert_free(c2);
 }
@ -71,7 +71,7 @@ START_TEST(cache_tgcrt_02)
 	cert_t *c;

 	c = cachemgr_tgcrt_get("daniel.roe.ch");
-	fail_unless(c == NULL, "certificate was already in empty cache");
+	ck_assert_msg(c == NULL, "certificate was already in empty cache");
 }
 END_TEST

@ -80,11 +80,11 @@ START_TEST(cache_tgcrt_03)
 	cert_t *c1, *c2;

 	c1 = cert_new_load(TESTCERT);
-	fail_unless(!!c1, "loading certificate failed");
+	ck_assert_msg(!!c1, "loading certificate failed");
 	cachemgr_tgcrt_set("daniel.roe.ch", c1);
 	cachemgr_tgcrt_del("daniel.roe.ch");
 	c2 = cachemgr_tgcrt_get("daniel.roe.ch");
-	fail_unless(c2 == NULL, "cache returned deleted certificate");
+	ck_assert_msg(c2 == NULL, "cache returned deleted certificate");
 	cert_free(c1);
 }
 END_TEST
@ -94,28 +94,28 @@ START_TEST(cache_tgcrt_04)
 	cert_t *c1, *c2;

 	c1 = cert_new_load(TESTCERT);
-	fail_unless(!!c1, "loading certificate failed");
-	fail_unless(c1->references == 1, "refcount != 1");
+	ck_assert_msg(!!c1, "loading certificate failed");
+	ck_assert_msg(c1->references == 1, "refcount != 1");
 	cachemgr_tgcrt_set("daniel.roe.ch", c1);
-	fail_unless(c1->references == 2, "refcount != 2");
+	ck_assert_msg(c1->references == 2, "refcount != 2");
 	c2 = cachemgr_tgcrt_get("daniel.roe.ch");
-	fail_unless(c1->references == 3, "refcount != 3");
+	ck_assert_msg(c1->references == 3, "refcount != 3");
 	cachemgr_tgcrt_set("daniel.roe.ch", c1);
-	fail_unless(c1->references == 3, "refcount != 3");
+	ck_assert_msg(c1->references == 3, "refcount != 3");
 	cachemgr_tgcrt_del("daniel.roe.ch");
-	fail_unless(c1->references == 2, "refcount != 2");
+	ck_assert_msg(c1->references == 2, "refcount != 2");
 	cachemgr_tgcrt_set("daniel.roe.ch", c1);
-	fail_unless(c1->references == 3, "refcount != 3");
+	ck_assert_msg(c1->references == 3, "refcount != 3");
 	cert_free(c1);
-	fail_unless(c1->references == 2, "refcount != 2");
+	ck_assert_msg(c1->references == 2, "refcount != 2");
 	cachemgr_fini();
-	fail_unless(c1->references == 1, "refcount != 1");
+	ck_assert_msg(c1->references == 1, "refcount != 1");
 	cert_free(c2);
 #if 0
 	/* deliberate access of free'd cert_t* */
-	fail_unless(c1->references == 0, "refcount != 0");
+	ck_assert_msg(c1->references == 0, "refcount != 0");
 #endif
-	fail_unless(cachemgr_preinit() != -1, "reinit");
+	ck_assert_msg(cachemgr_preinit() != -1, "reinit");
 }
 END_TEST

--- a/tests/check/cert.t.c
+++ b/tests/check/cert.t.c
@ -41,11 +41,11 @@ START_TEST(cert_new_load_01)
 	cert_t *c;

 	c = cert_new_load(TESTCERT);
-	fail_unless(!!c, "loading PEM failed");
-	fail_unless(!!c->crt, "loading crt failed");
-	fail_unless(!!c->key, "loading key failed");
-	fail_unless(!!c->chain, "initializing chain stack failed");
-	fail_unless(sk_X509_num(c->chain) == 1, "loading chain failed");
+	ck_assert_msg(!!c, "loading PEM failed");
+	ck_assert_msg(!!c->crt, "loading crt failed");
+	ck_assert_msg(!!c->key, "loading key failed");
+	ck_assert_msg(!!c->chain, "initializing chain stack failed");
+	ck_assert_msg(sk_X509_num(c->chain) == 1, "loading chain failed");
 	cert_free(c);
 }
 END_TEST
@ -55,16 +55,16 @@ START_TEST(cert_refcount_inc_01)
 	cert_t *c;

 	c = cert_new_load(TESTCERT);
-	fail_unless(!!c, "loading PEM failed");
-	fail_unless(c->references == 1, "refcount mismatch");
+	ck_assert_msg(!!c, "loading PEM failed");
+	ck_assert_msg(c->references == 1, "refcount mismatch");
 	cert_refcount_inc(c);
-	fail_unless(c->references == 2, "refcount mismatch");
+	ck_assert_msg(c->references == 2, "refcount mismatch");
 	cert_free(c);
-	fail_unless(c->references == 1, "refcount mismatch");
+	ck_assert_msg(c->references == 1, "refcount mismatch");
 	cert_free(c);
 #if 0
 	/* deliberate access after last free() */
-	fail_unless(c->references == 0, "refcount mismatch");
+	ck_assert_msg(c->references == 0, "refcount mismatch");
 #endif
 }
 END_TEST
--- a/tests/check/defaults.t.c
+++ b/tests/check/defaults.t.c
@ -41,7 +41,7 @@

 START_TEST(defaults_dropuser_01)
 {
-	fail_unless(0 == sys_privdrop(DFLT_DROPUSER, NULL, NULL),
+	ck_assert_msg(0 == sys_privdrop(DFLT_DROPUSER, NULL, NULL),
 	            "privdrop failed");
 }
 END_TEST
@ -53,11 +53,11 @@ END_TEST
 */
 START_TEST(defaults_dropuser_02)
 {
-	fail_unless(0 == system(CONNECT_CMD),
+	ck_assert_msg(0 == system(CONNECT_CMD),
 	            "connect failed for user running tests");
-	fail_unless(0 == sys_privdrop(DFLT_DROPUSER, NULL, NULL),
+	ck_assert_msg(0 == sys_privdrop(DFLT_DROPUSER, NULL, NULL),
 	            "privdrop failed");
-	fail_unless(0 == system(CONNECT_CMD),
+	ck_assert_msg(0 == system(CONNECT_CMD),
 	            "connect failed for default dropuser " DFLT_DROPUSER);
 }
 END_TEST
--- a/tests/check/dynbuf.t.c
+++ b/tests/check/dynbuf.t.c
@ -59,10 +59,10 @@ START_TEST(dynbuf_new_01)
 	dynbuf_t *db;

 	db = dynbuf_new(buf, sz);
-	fail_unless(!!db, "dynbuf not allocated");
-	fail_unless(!!db->buf, "buffer not set");
-	fail_unless(db->buf == buf, "buffer incorrect");
-	fail_unless(db->sz == sz, "size incorrect");
+	ck_assert_msg(!!db, "dynbuf not allocated");
+	ck_assert_msg(!!db->buf, "buffer not set");
+	ck_assert_msg(db->buf == buf, "buffer incorrect");
+	ck_assert_msg(db->sz == sz, "size incorrect");
 	dynbuf_free(db);
 	buf = malloc(sz);
 }
@ -73,9 +73,9 @@ START_TEST(dynbuf_new_alloc_01)
 	dynbuf_t *db;

 	db = dynbuf_new_alloc(sz);
-	fail_unless(!!db, "dynbuf not allocated");
-	fail_unless(!!db->buf, "buffer not set");
-	fail_unless(db->sz == sz, "size incorrect");
+	ck_assert_msg(!!db, "dynbuf not allocated");
+	ck_assert_msg(!!db->buf, "buffer not set");
+	ck_assert_msg(db->sz == sz, "size incorrect");
 	dynbuf_free(db);
 }
 END_TEST
@ -85,11 +85,11 @@ START_TEST(dynbuf_new_copy_01)
 	dynbuf_t *db;

 	db = dynbuf_new_copy(buf, sz);
-	fail_unless(!!db, "dynbuf not allocated");
-	fail_unless(!!db->buf, "buffer not set");
-	fail_unless(db->buf != buf, "buffer incorrect");
-	fail_unless(db->sz == sz, "size incorrect");
-	fail_unless(!memcmp(db->buf, buf, sz), "buffer data incorrect");
+	ck_assert_msg(!!db, "dynbuf not allocated");
+	ck_assert_msg(!!db->buf, "buffer not set");
+	ck_assert_msg(db->buf != buf, "buffer incorrect");
+	ck_assert_msg(db->sz == sz, "size incorrect");
+	ck_assert_msg(!memcmp(db->buf, buf, sz), "buffer data incorrect");
 	dynbuf_free(db);
 }
 END_TEST
@ -99,13 +99,13 @@ START_TEST(dynbuf_new_file_01)
 	dynbuf_t *db;

 	db = dynbuf_new_file(TESTCERT);
-	fail_unless(!!db, "dynbuf not allocated");
-	fail_unless(!!db->buf, "buffer not set");
-	fail_unless(db->buf != buf, "buffer incorrect");
-	fail_unless(db->sz > 0, "size incorrect");
-	fail_unless(!!strstr((char*)db->buf, "-----BEGIN CERTIFICATE-----"),
+	ck_assert_msg(!!db, "dynbuf not allocated");
+	ck_assert_msg(!!db->buf, "buffer not set");
+	ck_assert_msg(db->buf != buf, "buffer incorrect");
+	ck_assert_msg(db->sz > 0, "size incorrect");
+	ck_assert_msg(!!strstr((char*)db->buf, "-----BEGIN CERTIFICATE-----"),
 	            "cannot find begin of cert");
-	fail_unless(!!strstr((char*)db->buf, "-----END CERTIFICATE-----"),
+	ck_assert_msg(!!strstr((char*)db->buf, "-----END CERTIFICATE-----"),
 	            "cannot find end of cert");
 	dynbuf_free(db);
 }
--- a/tests/check/filter.t.c
+++ b/tests/check/filter.t.c
--- a/tests/check/filterstruct.t.c
+++ b/tests/check/filterstruct.t.c
--- a/tests/check/logbuf.t.c
+++ b/tests/check/logbuf.t.c
@ -40,10 +40,10 @@ START_TEST(logbuf_make_contiguous_01)
 	lb = logbuf_new_printf(lb, "%s", "456");
 	lb = logbuf_new_printf(lb, "%s", "123");
 	lb = logbuf_make_contiguous(lb);
-	fail_unless(!!lb, "logbuf_make_contiguous failed");
-	fail_unless(!lb->next, "multiple buffers");
-	fail_unless(logbuf_size(lb) == 9, "buffer size incorrect");
-	fail_unless(!memcmp(lb->buf, "123456789", 9), "buffer value incorrect");
+	ck_assert_msg(!!lb, "logbuf_make_contiguous failed");
+	ck_assert_msg(!lb->next, "multiple buffers");
+	ck_assert_msg(logbuf_size(lb) == 9, "buffer size incorrect");
+	ck_assert_msg(!memcmp(lb->buf, "123456789", 9), "buffer value incorrect");
 	logbuf_free(lb);
 }
 END_TEST
--- a/tests/check/main.t.c
+++ b/tests/check/main.t.c
@ -45,9 +45,9 @@ blank_suite(void)

 START_TEST(build_date_01)
 {
-	fail_unless(strlen(build_date) == 10, "length mismatch");
-	fail_unless(build_date[4] == '-', "year/month separator not dash");
-	fail_unless(build_date[7] == '-', "month/day separator not dash");
+	ck_assert_msg(strlen(build_date) == 10, "length mismatch");
+	ck_assert_msg(build_date[4] == '-', "year/month separator not dash");
+	ck_assert_msg(build_date[7] == '-', "month/day separator not dash");
 }
 END_TEST

--- a/tests/check/opts.t.c
+++ b/tests/check/opts.t.c
--- a/tests/check/proto.t.c
+++ b/tests/check/proto.t.c
@ -2,7 +2,7 @@
 * SSLsplit - transparent SSL/TLS interception
 * https://www.roe.ch/SSLsplit
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -90,11 +90,11 @@ START_TEST(protohttp_validate_01)
 	http_ctx->seen_keyword_count = 1;
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(http_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -109,11 +109,11 @@ START_TEST(protohttp_validate_02)
 	http_ctx->http_method = strdup("GET");
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(http_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -127,11 +127,11 @@ START_TEST(protohttp_validate_03)
 	http_ctx->http_method = strdup("GET");
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(http_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -145,11 +145,11 @@ START_TEST(protohttp_validate_04)
 	http_ctx->http_method = strdup("GET1");
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(http_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -164,29 +164,29 @@ START_TEST(protohttp_validate_05)
 	http_ctx->http_method = strdup("GET1");
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(http_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	rv = protohttp_validate(ctx);

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(http_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	free(http_ctx->http_method);
 	http_ctx->http_method = strdup("GET");
 	rv = protohttp_validate(ctx);

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(http_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -201,19 +201,19 @@ START_TEST(protohttp_validate_06)
 	http_ctx->http_method = strdup("GET");
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(http_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	rv = protohttp_validate(ctx);

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(http_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	// Normally we don't call protohttp_validate() if ctx->protoctx->is_valid is set,
 	// So both not_valid and is_valid are set.
@ -222,11 +222,11 @@ START_TEST(protohttp_validate_06)
 	http_ctx->http_method = strdup("GET1");
 	rv = protohttp_validate(ctx);

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(http_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 0, "wrong seen_bytes");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 0, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -240,11 +240,11 @@ START_TEST(protohttp_validate_07)
 	http_ctx->seen_bytes = 8193;
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(http_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 8193, "wrong seen_bytes");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 8193, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -259,11 +259,11 @@ START_TEST(protohttp_validate_08)
 	http_ctx->seen_keyword_count = 1;
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(http_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 8193, "wrong seen_bytes");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 8193, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -278,11 +278,11 @@ START_TEST(protohttp_validate_09)
 	http_ctx->http_method = strdup("GET");
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(http_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 8193, "wrong seen_bytes");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 0, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 8193, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -298,11 +298,11 @@ START_TEST(protohttp_validate_10)
 	http_ctx->http_method = strdup("GET");
 	int rv = protohttp_validate(ctx);

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(http_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
-	fail_unless(http_ctx->seen_bytes == 8193, "wrong seen_bytes");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(http_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(http_ctx->seen_keyword_count == 1, "wrong seen_keyword_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(http_ctx->seen_bytes == 8193, "wrong seen_bytes");

 	proto_free(ctx);
 }
@ -316,26 +316,26 @@ START_TEST(protopop3_validate_01)
 	char array01[] = {'C', 'A', 'P', 'A'};
 	int rv = protopop3_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'U', 'S', 'E', 'R', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protopop3_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array03[] = {'P', 'A', 'S', 'S', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protopop3_validate(ctx, array03, sizeof(array03));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	// Normally we don't call protopop3_validate() if ctx->protoctx->is_valid is set,
 	// so pop3_ctx->seen_command_count never goes above 3.
@ -343,10 +343,10 @@ START_TEST(protopop3_validate_01)
 	char array04[] = {'Q', 'U', 'I', 'T'};
 	rv = protopop3_validate(ctx, array04, sizeof(array04));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 4, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 4, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	proto_free(ctx);
 }
@ -360,10 +360,10 @@ START_TEST(protopop3_validate_02)
 	char array01[] = {'C', 'A', 'P'};
 	int rv = protopop3_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -377,18 +377,18 @@ START_TEST(protopop3_validate_03)
 	char array01[] = {'C', 'A', 'P', 'A'};
 	int rv = protopop3_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'U', 'S', 'E', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protopop3_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -402,26 +402,26 @@ START_TEST(protopop3_validate_04)
 	char array01[] = {'C', 'A', 'P', 'A'};
 	int rv = protopop3_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'U', 'S', 'E', 'R', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protopop3_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array03[] = {'P', 'A', 'S', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protopop3_validate(ctx, array03, sizeof(array03));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -435,26 +435,26 @@ START_TEST(protopop3_validate_05)
 	char array01[] = {'C', 'A', 'P', 'A'};
 	int rv = protopop3_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'U', 'S', 'E', 'R', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protopop3_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array03[] = {'P', 'A', 'S', 'S', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protopop3_validate(ctx, array03, sizeof(array03));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	// Normally we don't call protopop3_validate() if ctx->protoctx->is_valid is set,
 	// So both not_valid and is_valid are set.
@ -462,18 +462,18 @@ START_TEST(protopop3_validate_05)
 	char array04[] = {'Q', 'U', 'I'};
 	rv = protopop3_validate(ctx, array04, sizeof(array04));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	// Again, this is for testing purposes only.
 	rv = protopop3_validate(ctx, array04, sizeof(array04));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	proto_free(ctx);
 }
@ -487,17 +487,17 @@ START_TEST(protopop3_validate_06)
 	char array01[] = {'C', 'A', 'P'};
 	int rv = protopop3_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	rv = protopop3_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(pop3_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(pop3_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(pop3_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(pop3_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -511,26 +511,26 @@ START_TEST(protosmtp_validate_01)
 	char array01[] = {'E', 'H', 'L', 'O'};
 	int rv = protosmtp_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'A', 'U', 'T', 'H', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protosmtp_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array03[] = {'M', 'A', 'I', 'L', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protosmtp_validate(ctx, array03, sizeof(array03));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	// Normally we don't call protosmtp_validate() if ctx->protoctx->is_valid is set,
 	// so smtp_ctx->seen_command_count never goes above 3.
@ -538,10 +538,10 @@ START_TEST(protosmtp_validate_01)
 	char array04[] = {'Q', 'U', 'I', 'T'};
 	rv = protosmtp_validate(ctx, array04, sizeof(array04));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 4, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 4, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	proto_free(ctx);
 }
@ -555,10 +555,10 @@ START_TEST(protosmtp_validate_02)
 	char array01[] = {'E', 'H', 'L'};
 	int rv = protosmtp_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -572,18 +572,18 @@ START_TEST(protosmtp_validate_03)
 	char array01[] = {'E', 'H', 'L', 'O'};
 	int rv = protosmtp_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'A', 'U', 'T', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protosmtp_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -597,26 +597,26 @@ START_TEST(protosmtp_validate_04)
 	char array01[] = {'E', 'H', 'L', 'O'};
 	int rv = protosmtp_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'A', 'U', 'T', 'H', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protosmtp_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array03[] = {'M', 'A', 'I', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protosmtp_validate(ctx, array03, sizeof(array03));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -630,26 +630,26 @@ START_TEST(protosmtp_validate_05)
 	char array01[] = {'E', 'H', 'L', 'O'};
 	int rv = protosmtp_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 1, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array02[] = {'A', 'U', 'T', 'H', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protosmtp_validate(ctx, array02, sizeof(array02));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 2, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	char array03[] = {'M', 'A', 'I', 'L', ' ', 's', 'o', 'n', 'e', 'r'};
 	rv = protosmtp_validate(ctx, array03, sizeof(array03));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	// Normally we don't call protosmtp_validate() if ctx->protoctx->is_valid is set,
 	// So both not_valid and is_valid are set.
@ -657,18 +657,18 @@ START_TEST(protosmtp_validate_05)
 	char array04[] = {'Q', 'U', 'I'};
 	rv = protosmtp_validate(ctx, array04, sizeof(array04));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	// Again, this is for testing purposes only.
 	rv = protosmtp_validate(ctx, array04, sizeof(array04));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 1, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 3, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 1, "wrong is_valid");

 	proto_free(ctx);
 }
@ -682,17 +682,17 @@ START_TEST(protosmtp_validate_06)
 	char array01[] = {'E', 'H', 'L'};
 	int rv = protosmtp_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	rv = protosmtp_validate(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -706,10 +706,10 @@ START_TEST(protosmtp_validate_response_01)
 	char array01[] = {'2', '2', '0', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -723,10 +723,10 @@ START_TEST(protosmtp_validate_response_02)
 	char array01[] = {'1', '9', '9', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -740,10 +740,10 @@ START_TEST(protosmtp_validate_response_03)
 	char array01[] = {'6', '0', '0', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -757,19 +757,19 @@ START_TEST(protosmtp_validate_response_04)
 	char array01[] = {'2', '2', '0', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

 	// Normally we don't call protosmtp_validate_response() more than once.
 	// This is for testing purposes only.
-	fail_unless(rv == 0, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 0, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == 0, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 0, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	// Normally we don't call protosmtp_validate_response() more than once,
 	// but smtp_ctx->not_valid should be set to 1.
@ -777,10 +777,10 @@ START_TEST(protosmtp_validate_response_04)
 	char array02[] = {'1', '9', '9', ' ', 's', 'm', 't', 'p'};
 	rv = protosmtp_validate_response(ctx, array02, sizeof(array02));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -794,19 +794,19 @@ START_TEST(protosmtp_validate_response_05)
 	char array01[] = {'1', '9', '9', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	// Normally we don't call protosmtp_validate_response() more than once.
 	// This is for testing purposes only.
 	rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	// Normally we don't call protosmtp_validate_response() more than once,
 	// but smtp_ctx->not_valid should remain 1.
@ -814,10 +814,10 @@ START_TEST(protosmtp_validate_response_05)
 	char array02[] = {'2', '2', '0', ' ', 's', 'm', 't', 'p'};
 	rv = protosmtp_validate_response(ctx, array02, sizeof(array02));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -831,10 +831,10 @@ START_TEST(protosmtp_validate_response_06)
 	char array01[] = {'2', '2', '0', '0', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -848,10 +848,10 @@ START_TEST(protosmtp_validate_response_07)
 	char array01[] = {'1', '9', '9', '9', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
@ -865,10 +865,10 @@ START_TEST(protosmtp_validate_response_08)
 	char array01[] = {'6', '0', '0', '0', ' ', 's', 'm', 't', 'p'};
 	int rv = protosmtp_validate_response(ctx, array01, sizeof(array01));

-	fail_unless(rv == -1, "wrong return value");
-	fail_unless(smtp_ctx->not_valid == 1, "wrong not_valid");
-	fail_unless(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
-	fail_unless(ctx->protoctx->is_valid == 0, "wrong is_valid");
+	ck_assert_msg(rv == -1, "wrong return value");
+	ck_assert_msg(smtp_ctx->not_valid == 1, "wrong not_valid");
+	ck_assert_msg(smtp_ctx->seen_command_count == 0, "wrong seen_command_count");
+	ck_assert_msg(ctx->protoctx->is_valid == 0, "wrong is_valid");

 	proto_free(ctx);
 }
--- a/tests/check/pxythrmgr.t.c
+++ b/tests/check/pxythrmgr.t.c
@ -37,7 +37,7 @@ START_TEST(pxythrmgr_libevent_01)
 	struct event_base *evbase;

 	evbase = event_base_new();
-	fail_unless(!!evbase, "no event base");
+	ck_assert_msg(!!evbase, "no event base");
 	event_base_free(evbase);
 }
 END_TEST
@ -48,9 +48,9 @@ START_TEST(pxythrmgr_libevent_02)
 	struct evdns_base *dnsbase;

 	evbase = event_base_new();
-	fail_unless(!!evbase, "no event base");
+	ck_assert_msg(!!evbase, "no event base");
 	dnsbase = evdns_base_new(evbase, 0);
-	fail_unless(!!dnsbase, "no evdns base");
+	ck_assert_msg(!!dnsbase, "no evdns base");
 	evdns_base_free(dnsbase, 0);
 	event_base_free(evbase);
 }
@ -63,12 +63,12 @@ START_TEST(pxythrmgr_libevent_03)
 	int rc;

 	evbase = event_base_new();
-	fail_unless(!!evbase, "no event base");
+	ck_assert_msg(!!evbase, "no event base");
 	dnsbase = evdns_base_new(evbase, 0);
-	fail_unless(!!dnsbase, "no evdns base");
+	ck_assert_msg(!!dnsbase, "no evdns base");
 	rc = evdns_base_resolv_conf_parse(dnsbase, DNS_OPTIONS_ALL,
 	                                  "/etc/resolv.conf");
-	fail_unless(rc == 0, "unable to parse resolv.conf");
+	ck_assert_msg(rc == 0, "unable to parse resolv.conf");
 	evdns_base_free(dnsbase, 0);
 	event_base_free(evbase);
 }
@ -80,9 +80,9 @@ START_TEST(pxythrmgr_libevent_04)
 	struct evdns_base *dnsbase;

 	evbase = event_base_new();
-	fail_unless(!!evbase, "no event base");
+	ck_assert_msg(!!evbase, "no event base");
 	dnsbase = evdns_base_new(evbase, 1);
-	fail_unless(!!dnsbase, "no evdns base");
+	ck_assert_msg(!!dnsbase, "no evdns base");
 	evdns_base_free(dnsbase, 0);
 	event_base_free(evbase);
 }
@ -96,11 +96,11 @@ START_TEST(pxythrmgr_libevent_05)

 	/* issue #17:  */
 	evbase1 = event_base_new();
-	fail_unless(!!evbase1, "no event base 1");
+	ck_assert_msg(!!evbase1, "no event base 1");
 	evbase2 = event_base_new();
-	fail_unless(!!evbase1, "no event base 2");
+	ck_assert_msg(!!evbase1, "no event base 2");
 	dnsbase = evdns_base_new(evbase2, 1);
-	fail_unless(!!dnsbase, "no evdns base");
+	ck_assert_msg(!!dnsbase, "no evdns base");
 	evdns_base_free(dnsbase, 0);
 	event_base_free(evbase2);
 	event_base_free(evbase1);
--- a/tests/check/ssl.t.c
+++ b/tests/check/ssl.t.c
@ -82,7 +82,7 @@ static char name11[] = "";
 START_TEST(ssl_wildcardify_01)
 {
 	char *wc = ssl_wildcardify(name1);
-	fail_unless(!strcmp(wc, wildcard1), "mismatch for 'www.example.org'");
+	ck_assert_msg(!strcmp(wc, wildcard1), "mismatch for 'www.example.org'");
 	free(wc);
 }
 END_TEST
@ -90,7 +90,7 @@ END_TEST
 START_TEST(ssl_wildcardify_02)
 {
 	char *wc = ssl_wildcardify(name8);
-	fail_unless(!strcmp(wc, wildcard5), "mismatch for 'ch'");
+	ck_assert_msg(!strcmp(wc, wildcard5), "mismatch for 'ch'");
 	free(wc);
 }
 END_TEST
@ -98,14 +98,14 @@ END_TEST
 START_TEST(ssl_wildcardify_03)
 {
 	char *wc = ssl_wildcardify(name11);
-	fail_unless(!strcmp(wc, wildcard5), "mismatch for ''");
+	ck_assert_msg(!strcmp(wc, wildcard5), "mismatch for ''");
 	free(wc);
 }
 END_TEST

 START_TEST(ssl_dnsname_match_01)
 {
-	fail_unless(
+	ck_assert_msg(
 		ssl_dnsname_match(name1, sizeof(name1) - 1,
 		                  name1, sizeof(name1) - 1),
 		"Hostname does not match itself");
@ -114,7 +114,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_02)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(name1, sizeof(name1) - 1,
 		                   name2, sizeof(name2) - 1),
 		"Hostname matches hostname with different TLD");
@ -123,7 +123,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_03)
 {
-	fail_unless(
+	ck_assert_msg(
 		ssl_dnsname_match(wildcard1, sizeof(wildcard1) - 1,
 		                  name1, sizeof(name1) - 1),
 		"Regular wildcard does not match");
@ -132,7 +132,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_04)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard1, sizeof(wildcard1) - 1,
 		                   name2, sizeof(name2) - 1),
 		"Regular wildcard matches other TLD");
@ -141,7 +141,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_05)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard1, sizeof(wildcard1) - 1,
 		                   name3, sizeof(name3) - 1),
 		"Regular wildcard matches upper level domain");
@ -150,7 +150,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_06)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard1, sizeof(wildcard1) - 1,
 		                   name4, sizeof(name4) - 1),
 		"Regular wildcard matches despite added suffix");
@ -159,7 +159,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_07)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard1, sizeof(wildcard1) - 1,
 		                   name5, sizeof(name5) - 1),
 		"Regular wildcard matches two elements");
@ -168,7 +168,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_08)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard2, sizeof(wildcard2) - 1,
 		                   name6, sizeof(name6) - 1),
 		"Wildcard matches in non-leftmost element");
@ -177,7 +177,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_09)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard3, sizeof(wildcard3) - 1,
 		                   name5, sizeof(name5) - 1),
 		"Multiple wildcard matches");
@ -186,7 +186,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_10)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard4, sizeof(wildcard4) - 1,
 		                   name7, sizeof(name7) - 1),
 		"Partial label wildcard matches");
@ -195,7 +195,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_11)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard5, sizeof(wildcard5) - 1,
 		                   name1, sizeof(name1) - 1),
 		"Global wildcard * matches fqdn");
@ -204,7 +204,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_12)
 {
-	fail_unless(
+	ck_assert_msg(
 		ssl_dnsname_match(wildcard5, sizeof(wildcard5) - 1,
 		                  name8, sizeof(name8) - 1),
 		"Global wildcard * does not match TLD");
@ -213,7 +213,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_13)
 {
-	fail_unless(
+	ck_assert_msg(
 		ssl_dnsname_match(wildcard6, sizeof(wildcard6) - 1,
 		                  name9, sizeof(name9) - 1),
 		"IDN wildcard does not match");
@ -222,7 +222,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_14)
 {
-	fail_unless(
+	ck_assert_msg(
 		ssl_dnsname_match(wildcard6, sizeof(wildcard6) - 1,
 		                  name10, sizeof(name10) - 1),
 		"IDN wildcard does not match IDN element");
@ -231,7 +231,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_15)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard7, sizeof(wildcard7) - 1,
 		                   name10, sizeof(name10) - 1),
 		"Illegal IDN wildcard matches");
@ -240,7 +240,7 @@ END_TEST

 START_TEST(ssl_dnsname_match_16)
 {
-	fail_unless(
+	ck_assert_msg(
 		!ssl_dnsname_match(wildcard8, sizeof(wildcard8) - 1,
 		                   name10, sizeof(name10) - 1),
 		"Illegal IDN wildcard matches IDN element");
@ -366,13 +366,13 @@ START_TEST(ssl_tls_clienthello_parse_00)
 	                               sizeof(clienthello00) - 1,
 	                               0, &ch, &sni);
 #ifdef HAVE_SSLV2
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless(sni == NULL, "sni not NULL");
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg(sni == NULL, "sni not NULL");
 #else /* !HAVE_SSLV2 */
-	fail_unless(rv == 1, "rv not 1");
-	fail_unless(ch == NULL, "ch not NULL");
-	fail_unless(sni == (void*)0xDEADBEEF, "sni modified");
+	ck_assert_msg(rv == 1, "rv not 1");
+	ck_assert_msg(ch == NULL, "ch not NULL");
+	ck_assert_msg(sni == (void*)0xDEADBEEF, "sni modified");
 #endif /* !HAVE_SSLV2 */
 }
 END_TEST
@ -386,9 +386,9 @@ START_TEST(ssl_tls_clienthello_parse_01)
 	rv = ssl_tls_clienthello_parse(clienthello01,
 	                               sizeof(clienthello01) - 1,
 	                               0, &ch, &sni);
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless(sni == NULL, "sni not NULL");
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg(sni == NULL, "sni not NULL");
 }
 END_TEST

@ -401,9 +401,9 @@ START_TEST(ssl_tls_clienthello_parse_02)
 	rv = ssl_tls_clienthello_parse(clienthello02,
 	                                sizeof(clienthello02) - 1,
 	                                0, &ch, &sni);
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless(sni == NULL, "sni not NULL");
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg(sni == NULL, "sni not NULL");
 }
 END_TEST

@ -416,9 +416,9 @@ START_TEST(ssl_tls_clienthello_parse_03)
 	rv = ssl_tls_clienthello_parse(clienthello03,
 	                                sizeof(clienthello03) - 1,
 	                                0, &ch, &sni);
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless(sni && !strcmp(sni, "192.168.100.4"),
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg(sni && !strcmp(sni, "192.168.100.4"),
 	            "sni not '192.168.100.4' but should be");
 }
 END_TEST
@ -432,9 +432,9 @@ START_TEST(ssl_tls_clienthello_parse_04)
 	rv = ssl_tls_clienthello_parse(clienthello04,
 	                                sizeof(clienthello04) - 1,
 	                                0, &ch, &sni);
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless(sni && !strcmp(sni, "kamesh.com"),
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg(sni && !strcmp(sni, "kamesh.com"),
 	            "sni not 'kamesh.com' but should be");
 }
 END_TEST
@ -449,9 +449,9 @@ START_TEST(ssl_tls_clienthello_parse_05)

 		sz = (ssize_t)i;
 		rv = ssl_tls_clienthello_parse(clienthello04, sz, 0, &ch, &sni);
-		fail_unless(rv == 1, "rv not 1");
-		fail_unless(ch != NULL, "ch is NULL");
-		fail_unless(sni == (void*)0xDEADBEEF, "sni modified");
+		ck_assert_msg(rv == 1, "rv not 1");
+		ck_assert_msg(ch != NULL, "ch is NULL");
+		ck_assert_msg(sni == (void*)0xDEADBEEF, "sni modified");
 	}
 }
 END_TEST
@ -465,9 +465,9 @@ START_TEST(ssl_tls_clienthello_parse_06)
 	rv = ssl_tls_clienthello_parse(clienthello05,
 	                                sizeof(clienthello05) - 1,
 	                                0, &ch, &sni);
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless(sni && !strcmp(sni, "daniel.roe.ch"),
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg(sni && !strcmp(sni, "daniel.roe.ch"),
 	            "sni not 'daniel.roe.ch' but should be");
 }
 END_TEST
@ -482,9 +482,9 @@ START_TEST(ssl_tls_clienthello_parse_07)

 		sz = (ssize_t)i;
 		rv = ssl_tls_clienthello_parse(clienthello05, sz, 0, &ch, &sni);
-		fail_unless(rv == 1, "rv not 1");
-		fail_unless(ch != NULL, "ch is NULL");
-		fail_unless(sni == (void*)0xDEADBEEF, "sni modified");
+		ck_assert_msg(rv == 1, "rv not 1");
+		ck_assert_msg(ch != NULL, "ch is NULL");
+		ck_assert_msg(sni == (void*)0xDEADBEEF, "sni modified");
 	}
 }
 END_TEST
@ -498,9 +498,9 @@ START_TEST(ssl_tls_clienthello_parse_08)
 	rv = ssl_tls_clienthello_parse(clienthello06,
 	                                sizeof(clienthello06) - 1,
 	                                0, &ch, &sni);
-	fail_unless(rv == 1, "rv not 1");
-	fail_unless(ch == NULL, "ch not NULL");
-	fail_unless(sni == (void*)0xDEADBEEF, "sni modified");
+	ck_assert_msg(rv == 1, "rv not 1");
+	ck_assert_msg(ch == NULL, "ch not NULL");
+	ck_assert_msg(sni == (void*)0xDEADBEEF, "sni modified");
 }
 END_TEST

@ -513,10 +513,10 @@ START_TEST(ssl_tls_clienthello_parse_09)
 	rv = ssl_tls_clienthello_parse(clienthello06,
 	                                sizeof(clienthello06) - 1,
 	                                1, &ch, &sni);
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless((ch - clienthello06) != 21, "ch does not point to start");
-	fail_unless(sni && !strcmp(sni, "daniel.roe.ch"),
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg((ch - clienthello06) != 21, "ch does not point to start");
+	ck_assert_msg(sni && !strcmp(sni, "daniel.roe.ch"),
 	            "sni not 'daniel.roe.ch' but should be");
 }
 END_TEST
@ -529,9 +529,9 @@ START_TEST(ssl_tls_clienthello_parse_10)
 	rv = ssl_tls_clienthello_parse(clienthello06,
 	                                sizeof(clienthello06) - 1,
 	                                1, &ch, NULL);
-	fail_unless(rv == 0, "rv not 0");
-	fail_unless(ch != NULL, "ch is NULL");
-	fail_unless((ch - clienthello06) != 21, "ch does not point to start");
+	ck_assert_msg(rv == 0, "rv not 0");
+	ck_assert_msg(ch != NULL, "ch is NULL");
+	ck_assert_msg((ch - clienthello06) != 21, "ch does not point to start");
 }
 END_TEST

@ -542,20 +542,20 @@ START_TEST(ssl_key_identifier_sha1_01)
 	unsigned char keyid[SSL_KEY_IDSZ];

 	c = ssl_x509_load(TESTCERT);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	k = ssl_key_load(TESTKEY);
-	fail_unless(!!k, "loading key failed");
+	ck_assert_msg(!!k, "loading key failed");

-	fail_unless(ssl_key_identifier_sha1(k, keyid) == 0,
+	ck_assert_msg(ssl_key_identifier_sha1(k, keyid) == 0,
 	            "ssl_key_identifier_sha1() failed");

 	int loc = X509_get_ext_by_NID(c, NID_subject_key_identifier, -1);
 	X509_EXTENSION *ext = X509_get_ext(c, loc);
-	fail_unless(!!ext, "loading ext failed");
+	ck_assert_msg(!!ext, "loading ext failed");
 	ASN1_STRING *value = X509_EXTENSION_get_data(ext);
-	fail_unless(ASN1_STRING_length(value) - 2 == SSL_KEY_IDSZ,
+	ck_assert_msg(ASN1_STRING_length(value) - 2 == SSL_KEY_IDSZ,
 	             "extension length mismatch");
-	fail_unless(!memcmp(ASN1_STRING_get0_data(value) + 2, keyid, SSL_KEY_IDSZ),
+	ck_assert_msg(!memcmp(ASN1_STRING_get0_data(value) + 2, keyid, SSL_KEY_IDSZ),
 	            "key id mismatch");
 	EVP_PKEY_free(k);
 	X509_free(c);
@ -568,18 +568,18 @@ START_TEST(ssl_x509_names_01)
 	char **names, **p;

 	c = ssl_x509_load(TESTCERT);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	names = ssl_x509_names(c);
-	fail_unless(!!names, "parsing names failed");
-	fail_unless(!!names[0], "first name");
-	fail_unless(!strcmp(names[0], "daniel.roe.ch"), "first name");
-	fail_unless(!!names[1], "second name");
-	fail_unless(!strcmp(names[1], "daniel.roe.ch"), "second name");
-	fail_unless(!!names[2], "third name");
-	fail_unless(!strcmp(names[2], "www.roe.ch"), "third name");
-	fail_unless(!!names[3], "fourth name");
-	fail_unless(!strcmp(names[3], "*.roe.ch"), "fourth name");
-	fail_unless(!names[4], "too many names");
+	ck_assert_msg(!!names, "parsing names failed");
+	ck_assert_msg(!!names[0], "first name");
+	ck_assert_msg(!strcmp(names[0], "daniel.roe.ch"), "first name");
+	ck_assert_msg(!!names[1], "second name");
+	ck_assert_msg(!strcmp(names[1], "daniel.roe.ch"), "second name");
+	ck_assert_msg(!!names[2], "third name");
+	ck_assert_msg(!strcmp(names[2], "www.roe.ch"), "third name");
+	ck_assert_msg(!!names[3], "fourth name");
+	ck_assert_msg(!strcmp(names[3], "*.roe.ch"), "fourth name");
+	ck_assert_msg(!names[4], "too many names");
 	p = names;
 	while (*p)
 		free(*p++);
@ -594,10 +594,10 @@ START_TEST(ssl_x509_names_to_str_01)
 	char *names;

 	c = ssl_x509_load(TESTCERT);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	names = ssl_x509_names_to_str(c);
-	fail_unless(!!names, "no string");
-	fail_unless(!strcmp(names,
+	ck_assert_msg(!!names, "no string");
+	ck_assert_msg(!strcmp(names,
 	            "daniel.roe.ch/daniel.roe.ch/www.roe.ch/*.roe.ch"),
 	            "wrong name string");
 	X509_free(c);
@ -610,10 +610,10 @@ START_TEST(ssl_x509_names_to_str_02)
 	char *names;

 	c = ssl_x509_load(TESTCERT2);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	names = ssl_x509_names_to_str(c);
-	fail_unless(!!names, "no string");
-	fail_unless(!strcmp(names, "SSLsplit Root CA"), "wrong name string");
+	ck_assert_msg(!!names, "no string");
+	ck_assert_msg(!strcmp(names, "SSLsplit Root CA"), "wrong name string");
 	X509_free(c);
 }
 END_TEST
@ -624,10 +624,10 @@ START_TEST(ssl_x509_subject_01)
 	char *subject;

 	c = ssl_x509_load(TESTCERT);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	subject = ssl_x509_subject(c);
-	fail_unless(!!subject, "no string");
-	fail_unless(!strcmp(subject, "/C=CH/O=SSLsplit Test Certificate/"
+	ck_assert_msg(!!subject, "no string");
+	ck_assert_msg(!strcmp(subject, "/C=CH/O=SSLsplit Test Certificate/"
 	                             "CN=daniel.roe.ch"),
 	            "wrong subject string");
 	X509_free(c);
@ -642,14 +642,14 @@ START_TEST(ssl_x509_subject_cn_01)
 	size_t expsz = strlen("daniel.roe.ch") + 1;

 	c = ssl_x509_load(TESTCERT);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	cn = ssl_x509_subject_cn(c, &sz);
-	fail_unless(!!cn, "no string");
-	fail_unless(sz >= expsz, "subject CN size too small");
-	fail_unless(!strcmp(cn, "daniel.roe.ch"), "wrong subject CN string");
+	ck_assert_msg(!!cn, "no string");
+	ck_assert_msg(sz >= expsz, "subject CN size too small");
+	ck_assert_msg(!strcmp(cn, "daniel.roe.ch"), "wrong subject CN string");
 #if 0
 	for (unsigned int i = expsz; i < sz; i++) {
-		fail_unless(cn[i] == '\0', "extra byte != 0");
+		ck_assert_msg(cn[i] == '\0', "extra byte != 0");
 	}
 #endif
 	X509_free(c);
@ -662,13 +662,13 @@ START_TEST(ssl_x509_ocsps_01)
 	char **ocsps, **p;

 	c = ssl_x509_load(TESTCERT);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	ocsps = ssl_x509_ocsps(c);
-	fail_unless(!!ocsps, "parsing OCSP extensions failed");
-	fail_unless(!!ocsps[0], "first OCSP");
-	fail_unless(!strcmp(ocsps[0], "http://daniel.roe.ch/test/ocsp"),
+	ck_assert_msg(!!ocsps, "parsing OCSP extensions failed");
+	ck_assert_msg(!!ocsps[0], "first OCSP");
+	ck_assert_msg(!strcmp(ocsps[0], "http://daniel.roe.ch/test/ocsp"),
 	                              "first OCSP");
-	fail_unless(!ocsps[1], "too many OCSPs");
+	ck_assert_msg(!ocsps[1], "too many OCSPs");
 	p = ocsps;
 	while (*p)
 		free(*p++);
@ -683,9 +683,9 @@ START_TEST(ssl_x509_ocsps_02)
 	char **ocsps;

 	c = ssl_x509_load(TESTCERT2);
-	fail_unless(!!c, "loading certificate failed");
+	ck_assert_msg(!!c, "loading certificate failed");
 	ocsps = ssl_x509_ocsps(c);
-	fail_unless(!ocsps, "unexpected OCSP extensions");
+	ck_assert_msg(!ocsps, "unexpected OCSP extensions");
 	X509_free(c);
 }
 END_TEST
@ -700,8 +700,8 @@ START_TEST(ssl_is_ocspreq_01)
 	size_t sz;

 	buf = base64_dec(ocspreq01, sizeof(ocspreq01) - 1, &sz);
-	fail_unless(!!buf, "failed to base64 decode");
-	fail_unless(ssl_is_ocspreq(buf, sz), "is not ocsp req");
+	ck_assert_msg(!!buf, "failed to base64 decode");
+	ck_assert_msg(ssl_is_ocspreq(buf, sz), "is not ocsp req");
 }
 END_TEST

@ -709,7 +709,7 @@ START_TEST(ssl_features_01)
 {
 	long vdiff = ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xfffff000L);

-	fail_unless(!vdiff, "OpenSSL version mismatch at runtime");
+	ck_assert_msg(!vdiff, "OpenSSL version mismatch at runtime");
 }
 END_TEST

@ -719,7 +719,7 @@ START_TEST(ssl_features_02)
 #ifdef OPENSSL_THREADS
 	have_threads = 1;
 #endif /* OPENSSL_THREADS */
-	fail_unless(have_threads, "!OPENSSL_THREADS: no threading support");
+	ck_assert_msg(have_threads, "!OPENSSL_THREADS: no threading support");
 }
 END_TEST

@ -728,7 +728,7 @@ START_TEST(ssl_key_refcount_inc_01)
 	EVP_PKEY *key;

 	key = ssl_key_load(TESTKEY);
-	fail_unless(!!key, "loading key failed");
+	ck_assert_msg(!!key, "loading key failed");
 	ssl_key_refcount_inc(key);
 	ssl_key_refcount_inc(key);
 	ssl_key_refcount_inc(key);
@ -745,7 +745,7 @@ START_TEST(ssl_x509_refcount_inc_01)
 	X509 *crt;

 	crt = ssl_x509_load(TESTCERT);
-	fail_unless(!!crt, "loading certificate failed");
+	ck_assert_msg(!!crt, "loading certificate failed");
 	ssl_x509_refcount_inc(crt);
 	ssl_x509_refcount_inc(crt);
 	ssl_x509_refcount_inc(crt);
@ -763,10 +763,10 @@ START_TEST(ssl_engine_01)
 	char cwd[PATH_MAX];
 	char *path;

-	fail_unless(getcwd(cwd, sizeof(cwd)) == cwd, "getcwd() failed");
-	fail_unless(asprintf(&path, "%s/"ENGINE, cwd) != -1 && !!path,
+	ck_assert_msg(getcwd(cwd, sizeof(cwd)) == cwd, "getcwd() failed");
+	ck_assert_msg(asprintf(&path, "%s/"ENGINE, cwd) != -1 && !!path,
 	            "constructing engine path failed");
-	fail_unless(ssl_engine(path) == 0, "loading OpenSSL engine failed");
+	ck_assert_msg(ssl_engine(path) == 0, "loading OpenSSL engine failed");
 	free(path);
 }
 END_TEST
--- a/tests/check/sys.t.c
+++ b/tests/check/sys.t.c
@ -106,31 +106,31 @@ sys_isdir_teardown(void)

 START_TEST(sys_isdir_01)
 {
-	fail_unless(sys_isdir(dir), "Directory !isdir");
+	ck_assert_msg(sys_isdir(dir), "Directory !isdir");
 }
 END_TEST

 START_TEST(sys_isdir_02)
 {
-	fail_unless(sys_isdir(ldir), "Symlink dir !isdir");
+	ck_assert_msg(sys_isdir(ldir), "Symlink dir !isdir");
 }
 END_TEST

 START_TEST(sys_isdir_03)
 {
-	fail_unless(!sys_isdir(notexist), "Not-exist isdir");
+	ck_assert_msg(!sys_isdir(notexist), "Not-exist isdir");
 }
 END_TEST

 START_TEST(sys_isdir_04)
 {
-	fail_unless(!sys_isdir(file), "File isdir");
+	ck_assert_msg(!sys_isdir(file), "File isdir");
 }
 END_TEST

 START_TEST(sys_isdir_05)
 {
-	fail_unless(!sys_isdir(lfile), "Symlink file isdir");
+	ck_assert_msg(!sys_isdir(lfile), "Symlink file isdir");
 }
 END_TEST

@ -167,10 +167,10 @@ START_TEST(sys_mkpath_01)

 	rv = asprintf(&dir, "%s/a/bb/ccc/dddd/eeeee/ffffff/ggggggg/hhhhhhhh",
 	              basedir);
-	fail_unless((rv != -1) && !!dir, "asprintf failed");
-	fail_unless(!sys_isdir(dir), "dir already sys_isdir()");
-	fail_unless(!sys_mkpath(dir, DFLT_DIRMODE), "sys_mkpath failed");
-	fail_unless(sys_isdir(dir), "dir not sys_isdir()");
+	ck_assert_msg((rv != -1) && !!dir, "asprintf failed");
+	ck_assert_msg(!sys_isdir(dir), "dir already sys_isdir()");
+	ck_assert_msg(!sys_mkpath(dir, DFLT_DIRMODE), "sys_mkpath failed");
+	ck_assert_msg(sys_isdir(dir), "dir not sys_isdir()");
 	free(dir);
 }
 END_TEST
@ -180,10 +180,10 @@ START_TEST(sys_realdir_01)
 	char *rd;

 	rd = sys_realdir("./../sys.t.c");
-	fail_unless(!!rd, "sys_realdir failed");
-	fail_unless(!!strstr(rd, "/sys.t.c"), "filename not found");
-	fail_unless(!strstr(rd, "/extra/"), "extra in path");
-	fail_unless(!strstr(rd, "/../"), "dot-dot in path");
+	ck_assert_msg(!!rd, "sys_realdir failed");
+	ck_assert_msg(!!strstr(rd, "/sys.t.c"), "filename not found");
+	ck_assert_msg(!strstr(rd, "/extra/"), "extra in path");
+	ck_assert_msg(!strstr(rd, "/../"), "dot-dot in path");
 	free(rd);
 }
 END_TEST
@ -193,8 +193,8 @@ START_TEST(sys_realdir_02)
 	char *rd;

 	rd = sys_realdir("/foo/bar/baz");
-	fail_unless(!rd, "sys_realdir did not fail");
-	fail_unless(errno == ENOENT, "errno not ENOENT");
+	ck_assert_msg(!rd, "sys_realdir did not fail");
+	ck_assert_msg(errno == ENOENT, "errno not ENOENT");
 }
 END_TEST

@ -203,8 +203,8 @@ START_TEST(sys_realdir_03)
 	char *rd;

 	rd = sys_realdir("foobarbaz");
-	fail_unless(!!rd, "sys_realdir failed");
-	fail_unless(!!strstr(rd, "/foobarbaz"), "filename not found or dir");
+	ck_assert_msg(!!rd, "sys_realdir failed");
+	ck_assert_msg(!!strstr(rd, "/foobarbaz"), "filename not found or dir");
 	free(rd);
 }
 END_TEST
@ -214,7 +214,7 @@ START_TEST(sys_realdir_04)
 	char *rd;

 	rd = sys_realdir("");
-	fail_unless(!rd, "sys_realdir did not fail");
+	ck_assert_msg(!rd, "sys_realdir did not fail");
 }
 END_TEST

@ -233,14 +233,14 @@ START_TEST(sys_dir_eachfile_01)

 	rv = sys_dir_eachfile(TARGETDIR, sys_dir_eachfile_cb, &flag);

-	fail_unless(rv == 0, "Did not return success");
-	fail_unless(flag == 2, "Iterated wrong number of files");
+	ck_assert_msg(rv == 0, "Did not return success");
+	ck_assert_msg(flag == 2, "Iterated wrong number of files");
 }
 END_TEST

 START_TEST(sys_get_cpu_cores_01)
 {
-	fail_unless(sys_get_cpu_cores() >= 1, "Number of CPU cores < 1");
+	ck_assert_msg(sys_get_cpu_cores() >= 1, "Number of CPU cores < 1");
 }
 END_TEST

@ -256,25 +256,25 @@ START_TEST(pthread_create_01)
 	pthread_t tid;
 	int x = 0;
 	void *rv;
-	fail_unless(!pthread_create(&tid, NULL, thrmain, &x),
+	ck_assert_msg(!pthread_create(&tid, NULL, thrmain, &x),
 	            "Cannot create thread");
-	fail_unless(!pthread_join(tid, &rv), "Cannot join thread");
-	fail_unless(x == 1, "Thread failed to update x");
-	fail_unless(rv == (void*) 2, "Thread return value mismatch");
+	ck_assert_msg(!pthread_join(tid, &rv), "Cannot join thread");
+	ck_assert_msg(x == 1, "Thread failed to update x");
+	ck_assert_msg(rv == (void*) 2, "Thread return value mismatch");
 }
 END_TEST

 START_TEST(sys_user_str_01)
 {
 	char *name = sys_user_str(0);
-	fail_unless(!strcmp(name, TEST_ZEROUSR), "User 0 name mismatch");
+	ck_assert_msg(!strcmp(name, TEST_ZEROUSR), "User 0 name mismatch");
 }
 END_TEST

 START_TEST(sys_group_str_01)
 {
 	char *name = sys_group_str(0);
-	fail_unless(!strcmp(name, TEST_ZEROGRP), "Group 0 name mismatch");
+	ck_assert_msg(!strcmp(name, TEST_ZEROGRP), "Group 0 name mismatch");
 }
 END_TEST

@ -283,8 +283,8 @@ START_TEST(sys_ip46str_sanitize_01)
 	char *clean;

 	clean = sys_ip46str_sanitize("2a01:7c8:aab0:1fb::1");
-	fail_unless(!!clean, "Sanitized string is NULL");
-	fail_unless(!strcmp(clean, "2a01_7c8_aab0_1fb__1"),
+	ck_assert_msg(!!clean, "Sanitized string is NULL");
+	ck_assert_msg(!strcmp(clean, "2a01_7c8_aab0_1fb__1"),
 	            "Unexpected result");
 	free(clean);
 }
@ -295,8 +295,8 @@ START_TEST(sys_ip46str_sanitize_02)
 	char *clean;

 	clean = sys_ip46str_sanitize("127.0.0.1");
-	fail_unless(!!clean, "Sanitized string is NULL");
-	fail_unless(!strcmp(clean, "127.0.0.1"),
+	ck_assert_msg(!!clean, "Sanitized string is NULL");
+	ck_assert_msg(!strcmp(clean, "127.0.0.1"),
 	            "Unexpected result");
 	free(clean);
 }
@ -307,8 +307,8 @@ START_TEST(sys_ip46str_sanitize_03)
 	char *clean;

 	clean = sys_ip46str_sanitize("fe80::5626:96ff:e4a7:f583%en0");
-	fail_unless(!!clean, "Sanitized string is NULL");
-	fail_unless(!strcmp(clean, "fe80__5626_96ff_e4a7_f583_en0"),
+	ck_assert_msg(!!clean, "Sanitized string is NULL");
+	ck_assert_msg(!strcmp(clean, "fe80__5626_96ff_e4a7_f583_en0"),
 	            "Unexpected result");
 	free(clean);
 }
--- a/tests/check/url.t.c
+++ b/tests/check/url.t.c
@ -48,9 +48,9 @@ START_TEST(url_dec_01)
 	size_t sz;

 	buf = url_dec(coded01, strlen(coded01), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(plain01), "wrong length");
-	fail_unless(!memcmp(plain01, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(plain01), "wrong length");
+	ck_assert_msg(!memcmp(plain01, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -61,9 +61,9 @@ START_TEST(url_dec_02)
 	size_t sz;

 	buf = url_dec(coded02, strlen(coded02), &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(sz == strlen(plain02 + 1) + 1, "wrong length");
-	fail_unless(!memcmp(plain02, buf, sz), "wrong data");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(sz == strlen(plain02 + 1) + 1, "wrong length");
+	ck_assert_msg(!memcmp(plain02, buf, sz), "wrong data");
 	free(buf);
 }
 END_TEST
@ -74,7 +74,7 @@ START_TEST(url_dec_03)
 	size_t sz;

 	buf = url_dec(coded03, strlen(coded03), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -84,7 +84,7 @@ START_TEST(url_dec_04)
 	size_t sz;

 	buf = url_dec(coded04, strlen(coded04), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -94,7 +94,7 @@ START_TEST(url_dec_05)
 	size_t sz;

 	buf = url_dec(coded05, strlen(coded05), &sz);
-	fail_unless(!buf, "buffer returned");
+	ck_assert_msg(!buf, "buffer returned");
 }
 END_TEST

@ -104,9 +104,9 @@ START_TEST(url_dec_06)
 	size_t sz;

 	buf = url_dec("", 0, &sz);
-	fail_unless(!!buf, "no buffer returned");
-	fail_unless(!sz, "length not 0");
-	fail_unless(!buf[0], "not empty string");
+	ck_assert_msg(!!buf, "no buffer returned");
+	ck_assert_msg(!sz, "length not 0");
+	ck_assert_msg(!buf[0], "not empty string");
 	free(buf);
 }
 END_TEST
--- a/tests/check/util.t.c
+++ b/tests/check/util.t.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -44,8 +44,8 @@ START_TEST(util_skipws_01)
 	char *p;

 	p = util_skipws(string01);
-	fail_unless(!!p, "no pointer returned");
-	fail_unless(!strcmp(p, "test"), "wrong data");
+	ck_assert_msg(!!p, "no pointer returned");
+	ck_assert_msg(!strcmp(p, "test"), "wrong data");
 }
 END_TEST

@ -54,8 +54,8 @@ START_TEST(util_skipws_02)
 	char *p;

 	p = util_skipws(string02);
-	fail_unless(!!p, "no pointer returned");
-	fail_unless(!strcmp(p, "test"), "wrong data");
+	ck_assert_msg(!!p, "no pointer returned");
+	ck_assert_msg(!strcmp(p, "test"), "wrong data");
 }
 END_TEST

@ -64,8 +64,8 @@ START_TEST(util_skipws_03)
 	char *p;

 	p = util_skipws(string03);
-	fail_unless(!!p, "no pointer returned");
-	fail_unless(!strcmp(p, "test"), "wrong data");
+	ck_assert_msg(!!p, "no pointer returned");
+	ck_assert_msg(!strcmp(p, "test"), "wrong data");
 }
 END_TEST

@ -74,8 +74,8 @@ START_TEST(util_skipws_04)
 	char *p;

 	p = util_skipws(string04);
-	fail_unless(!!p, "no pointer returned");
-	fail_unless(!strcmp(p, "test"), "wrong data");
+	ck_assert_msg(!!p, "no pointer returned");
+	ck_assert_msg(!strcmp(p, "test"), "wrong data");
 }
 END_TEST

@ -84,8 +84,8 @@ START_TEST(util_skipws_05)
 	char *p;

 	p = util_skipws(string05);
-	fail_unless(!!p, "no pointer returned");
-	fail_unless(!strcmp(p, "\r\ntest"), "wrong data");
+	ck_assert_msg(!!p, "no pointer returned");
+	ck_assert_msg(!strcmp(p, "\r\ntest"), "wrong data");
 }
 END_TEST

@ -94,8 +94,8 @@ START_TEST(util_skipws_06)
 	char *p;

 	p = util_skipws("");
-	fail_unless(!!p, "no pointer returned");
-	fail_unless(!strcmp(p, ""), "wrong data");
+	ck_assert_msg(!!p, "no pointer returned");
+	ck_assert_msg(!strcmp(p, ""), "wrong data");
 }
 END_TEST

@ -105,89 +105,89 @@ START_TEST(util_get_first_word_len_01)

 	char array01[] = {'\0'};
 	l = util_get_first_word_len(array01, sizeof(array01));
-	fail_unless(l == 0, "wrong len for null = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for null = %zu", l);

 	char array02[] = {' '};
 	l = util_get_first_word_len(array02, sizeof(array02));
-	fail_unless(l == 0, "wrong len for space = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for space = %zu", l);

 	char array03[] = {'\t'};
 	l = util_get_first_word_len(array03, sizeof(array03));
-	fail_unless(l == 0, "wrong len for tab = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for tab = %zu", l);

 	char array04[] = {'\r'};
 	l = util_get_first_word_len(array04, sizeof(array04));
-	fail_unless(l == 0, "wrong len for cr = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for cr = %zu", l);

 	char array05[] = {'\n'};
 	l = util_get_first_word_len(array05, sizeof(array05));
-	fail_unless(l == 0, "wrong len for nl = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for nl = %zu", l);

 	char array06[] = {'\t', '\r', '\n'};
 	l = util_get_first_word_len(array06, sizeof(array06));
-	fail_unless(l == 0, "wrong len for space, tab, cr, nl = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for space, tab, cr, nl = %zu", l);

 	char array07[] = {'1'};
 	l = util_get_first_word_len(array07, sizeof(array07));
-	fail_unless(l == 1, "wrong len for 1 = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1 = %zu", l);

 	char array08[] = {'1', ' '};
 	l = util_get_first_word_len(array08, sizeof(array08));
-	fail_unless(l == 1, "wrong len for 1, space = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1, space = %zu", l);

 	char array09[] = {'1', '\t'};
 	l = util_get_first_word_len(array09, sizeof(array09));
-	fail_unless(l == 1, "wrong len for 1, tab = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1, tab = %zu", l);

 	char array10[] = {'1', '\r'};
 	l = util_get_first_word_len(array10, sizeof(array10));
-	fail_unless(l == 1, "wrong len for 1, cr = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1, cr = %zu", l);

 	char array11[] = {'1', '\n'};
 	l = util_get_first_word_len(array11, sizeof(array11));
-	fail_unless(l == 1, "wrong len for 1, nl = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1, nl = %zu", l);

 	char array12[] = {'1', ' ', '\t', '\r', '\n'};
 	l = util_get_first_word_len(array12, sizeof(array12));
-	fail_unless(l == 1, "wrong len for 1, space, tab, cr, nl = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1, space, tab, cr, nl = %zu", l);

 	char array13[] = {'1', '\t', '\r', '\n'};
 	l = util_get_first_word_len(array13, sizeof(array13));
-	fail_unless(l == 1, "wrong len for 1, tab, cr, nl = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1, tab, cr, nl = %zu", l);

 	char array14[] = {'1', '\r', '\n'};
 	l = util_get_first_word_len(array14, sizeof(array14));
-	fail_unless(l == 1, "wrong len for 1, cr, nl = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1, cr, nl = %zu", l);

 	char array15[] = {'1', '2', '\r', '\n'};
 	l = util_get_first_word_len(array15, sizeof(array15));
-	fail_unless(l == 2, "wrong len for 12, cr, nl = %zu", l);
+	ck_assert_msg(l == 2, "wrong len for 12, cr, nl = %zu", l);

 	char array16[] = {'1', '2'};
 	l = util_get_first_word_len(array16, sizeof(array16));
-	fail_unless(l == 2, "wrong len for 12 = %zu", l);
+	ck_assert_msg(l == 2, "wrong len for 12 = %zu", l);

 	char array17[] = {'1', '2', '3', '4', '5', '6', '7', '8', '9', '0'};
 	l = util_get_first_word_len(array17, sizeof(array17));
-	fail_unless(l == 10, "wrong len for 1234567890 = %zu", l);
+	ck_assert_msg(l == 10, "wrong len for 1234567890 = %zu", l);

 	char array18[] = {'1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '\r', '\n'};
 	l = util_get_first_word_len(array18, sizeof(array18));
-	fail_unless(l == 10, "wrong len for 1234567890, cr, nl = %zu", l);
+	ck_assert_msg(l == 10, "wrong len for 1234567890, cr, nl = %zu", l);

 	l = util_get_first_word_len(array18, 1);
-	fail_unless(l == 1, "wrong len for size 1 in 1234567890, cr, nl = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for size 1 in 1234567890, cr, nl = %zu", l);

 	l = util_get_first_word_len(array18, 0);
-	fail_unless(l == 0, "wrong len for size 0 in 1234567890, cr, nl = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for size 0 in 1234567890, cr, nl = %zu", l);

 	char array19[] = {'1', ' ', '2', '\r', '\n'};
 	l = util_get_first_word_len(array19, sizeof(array19));
-	fail_unless(l == 1, "wrong len for 1 2, cr, nl = %zu", l);
+	ck_assert_msg(l == 1, "wrong len for 1 2, cr, nl = %zu", l);

 	char array20[] = {' ', '1'};
 	l = util_get_first_word_len(array20, sizeof(array20));
-	fail_unless(l == 0, "wrong len for space, 1 = %zu", l);
+	ck_assert_msg(l == 0, "wrong len for space, 1 = %zu", l);
 }
 END_TEST

--- a/tests/testproxy/GNUmakefile
+++ b/tests/testproxy/GNUmakefile
@ -22,11 +22,15 @@ buildlp:
 test: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability")
 test: TLS11=$(findstring tls11,$(SSL_PROTOS))
 test: TLS13=$(findstring tls13,$(SSL_PROTOS))
+test: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL")
+test: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL))
 test: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf)
 test: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf)
+test: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf)
 test: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody
 test: TESTHARNESS=$(if $(TLS13),testharness.json,testharness_no_tls13.json)
 test: TESTHARNESS:=$(if $(TLS11),$(TESTHARNESS),testharness_no_tls11.json)
+test: TESTHARNESS:=$(if $(OPENSSL3),$(TESTHARNESS),testharness_openssl3.json)
 #test: SKIP_TESTHARNESS=2
 test: buildsslproxy buildlp
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody
@ -38,11 +42,15 @@ test: buildsslproxy buildlp
 test_split: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability")
 test_split: TLS11=$(findstring tls11,$(SSL_PROTOS))
 test_split: TLS13=$(findstring tls13,$(SSL_PROTOS))
+test_split: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL")
+test_split: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL))
 test_split: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf)
 test_split: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf)
+test_split: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf)
 test_split: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -n -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody
 test_split: TESTHARNESS=$(if $(TLS13),testharness_split.json,testharness_split_no_tls13.json)
 test_split: TESTHARNESS:=$(if $(TLS11),$(TESTHARNESS),testharness_split_no_tls11.json)
+test_split: TESTHARNESS:=$(if $(OPENSSL3),$(TESTHARNESS),testharness_split_openssl3.json)
 test_split: buildsslproxy buildlp
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody
 	sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) $(SSLPROXY_COMMAND)
--- a/tests/testproxy/lp/main.c
+++ b/tests/testproxy/lp/main.c
@ -88,7 +88,7 @@ main_version(void)
 		fprintf(stderr, "---------------------------------------"
 		                "---------------------------------------\n");
 	}
-	fprintf(stderr, "Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>\n");
+	fprintf(stderr, "Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>\n");
 	fprintf(stderr, "https://github.com/sonertari/SSLproxy\n");
 	fprintf(stderr, "Copyright (c) 2009-2019, "
 	                "Daniel Roethlisberger <daniel@roe.ch>\n");
--- a/tests/testproxy/lp/opts.c
+++ b/tests/testproxy/lp/opts.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/tests/testproxy/lp/prototcp.c
+++ b/tests/testproxy/lp/prototcp.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/tests/testproxy/lp/prototcp.h
+++ b/tests/testproxy/lp/prototcp.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/tests/testproxy/lp/pxyconn.c
+++ b/tests/testproxy/lp/pxyconn.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -149,7 +149,6 @@ pxy_log_connect_tcp(pxy_conn_ctx_t *ctx)
 	}
 	if (ctx->opts->connectlog) {
 		if (log_connect_print_free(msg) == -1) {
-			free(msg);
 			log_err_level_printf(LOG_WARNING, "Connection logging failed\n");
 		}
 	} else {
--- a/tests/testproxy/lp/pxyconn.h
+++ b/tests/testproxy/lp/pxyconn.h
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/tests/testproxy/lp/pxythr.c
+++ b/tests/testproxy/lp/pxythr.c
@ -2,7 +2,7 @@
 * SSLsplit - transparent SSL/TLS interception
 * https://www.roe.ch/SSLsplit
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/tests/testproxy/lp/pxythr.h
+++ b/tests/testproxy/lp/pxythr.h
@ -2,7 +2,7 @@
 * SSLsplit - transparent SSL/TLS interception
 * https://www.roe.ch/SSLsplit
 *
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/tests/testproxy/lp/pxythrmgr.c
+++ b/tests/testproxy/lp/pxythrmgr.c
@ -3,7 +3,7 @@
 * https://www.roe.ch/SSLsplit
 *
 * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2022, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/tests/testproxy/lp/sys.c
+++ b/tests/testproxy/lp/sys.c
@ -380,6 +380,7 @@ sys_sockaddr_str(struct sockaddr *addr, socklen_t addrlen,
 		log_err_level_printf(LOG_CRIT, "Cannot get nameinfo for socket address: %s\n",
 		               gai_strerror(rv));
 		free(*serv);
+		*serv = NULL;
 		return -1;
 	}
 	hostsz = strlen(tmphost) + 1; /* including terminator */
@ -387,6 +388,7 @@ sys_sockaddr_str(struct sockaddr *addr, socklen_t addrlen,
 	if (!*host) {
 		log_err_level_printf(LOG_CRIT, "Cannot allocate memory\n");
 		free(*serv);
+		*serv = NULL;
 		return -1;
 	}
 	memcpy(*host, tmphost, hostsz);
--- a/tests/testproxy/sslproxy.conf
+++ b/tests/testproxy/sslproxy.conf
@ -1,4 +1,4 @@
-# TestProxy test configuration for sslproxy v0.9.4
+# TestProxy test configuration for sslproxy v0.9.5

 # Global options
 #User _sslproxy
--- a/tests/testproxy/sslproxy_no_tls11.conf
+++ b/tests/testproxy/sslproxy_no_tls11.conf
@ -1,4 +1,4 @@
-# TestProxy test configuration for sslproxy v0.9.4
+# TestProxy test configuration for sslproxy v0.9.5

 # Global options
 #User _sslproxy
--- a/tests/testproxy/sslproxy_no_tls13.conf
+++ b/tests/testproxy/sslproxy_no_tls13.conf
@ -1,4 +1,4 @@
-# TestProxy test configuration for sslproxy v0.9.4
+# TestProxy test configuration for sslproxy v0.9.5

 # Global options
 #User _sslproxy
--- a/tests/testproxy/sslproxy_openssl3.conf
+++ b/tests/testproxy/sslproxy_openssl3.conf
--- a/tests/testproxy/testharness_openssl3.json
+++ b/tests/testproxy/testharness_openssl3.json
@ -0,0 +1,70 @@
+{
+  "comment": "SSLproxy tests",
+  "testharnesses": {
+    "1": {
+      "comment": "HTTP tests",
+      "testsets": {
+        "1": "http_testset_1.json",
+        "2": "http_testset_2.json",
+        "3": "http_testset_3.json"
+      }
+    },
+    "2": {
+      "comment": "SSL config tests",
+      "testsets": {
+        "1": "ssl_testset_4.json",
+        "2": "ssl_testset_5.json",
+        "3": "ssl_testset_6.json"
+      }
+    },
+    "3": {
+      "comment": "Protocol validation tests",
+      "testsets": {
+        "1": "tcp_ssl_testends_testset_1.json",
+        "2": "ssl_tcp_testends_testset_1.json",
+        "3": "proto_validate_testset_1.json",
+        "4": "proto_validate_testset_2.json",
+        "5": "proto_validate_testset_3.json",
+        "6": "proto_validate_testset_4.json"
+      }
+    },
+    "4": {
+      "comment": "Various option tests",
+      "testsets": {
+        "1": "passthrough_testset_1.json",
+        "2": "verifypeer_testset_1.json",
+        "3": "verifypeer_testset_2.json",
+        "4": "ca_testset_1.json",
+        "5": "ca_testset_2.json",
+        "6": "userauth_testset_1.json",
+        "7": "userauth_testset_2.json"
+      }
+    },
+    "5": {
+      "comment": "Filtering rules tests",
+      "testsets": {
+        "1": "filter_divert_testset_1.json",
+        "2": "filter_split_testset_1.json",
+        "3": "filter_pass_testset_1.json",
+        "4": "filter_block_testset_1.json",
+        "5": "filter_sni_testset_1.json",
+        "6": "filter_sni_testset_2.json",
+        "7": "filter_cn_testset_1.json",
+        "8": "filter_cn_testset_2.json",
+        "9": "filter_host_testset_1.json",
+        "10": "filter_host_testset_2.json",
+        "11": "filter_uri_testset_1.json",
+        "12": "filter_uri_testset_2.json",
+        "13": "filter_struct_testset_1.json",
+        "14": "filter_struct_reconnect_testset_1.json"
+      }
+    },
+    "6": {
+      "comment": "Autossl tests",
+      "testsets": {
+        "1": "autossl_testset_1.json",
+        "2": "autossl_testset_2.json"
+      }
+    }
+  }
+}
--- a/tests/testproxy/testharness_split_openssl3.json
+++ b/tests/testproxy/testharness_split_openssl3.json
@ -0,0 +1,53 @@
+{
+  "comment": "SSLproxy split mode tests",
+  "testharnesses": {
+    "1": {
+      "comment": "HTTP tests",
+      "testsets": {
+        "1": "http_testset_split_1.json",
+        "2": "http_testset_2.json",
+        "3": "http_testset_3.json"
+      }
+    },
+    "2": {
+      "comment": "SSL config tests",
+      "testsets": {
+        "1": "ssl_testset_4.json",
+        "2": "ssl_testset_5.json",
+        "3": "ssl_testset_6.json"
+      }
+    },
+    "3": {
+      "comment": "Protocol validation tests",
+      "testsets": {
+        "1": "tcp_ssl_testends_testset_1.json",
+        "2": "ssl_tcp_testends_testset_1.json",
+        "3": "proto_validate_testset_1.json",
+        "4": "proto_validate_testset_2.json",
+        "5": "proto_validate_testset_3.json",
+        "6": "proto_validate_testset_split_4.json"
+      }
+    },
+    "4": {
+      "comment": "Various option tests",
+      "testsets": {
+        "1": "passthrough_testset_1.json",
+        "2": "verifypeer_testset_1.json",
+        "3": "verifypeer_testset_2.json",
+        "4": "ca_testset_1.json",
+        "5": "ca_testset_2.json",
+        "6": "userauth_testset_1.json",
+        "7": "userauth_testset_2.json"
+      }
+    },
+    "5": {
+      "comment": "Filtering rules tests",
+      "testsets": {
+        "1": "filter_divert_testset_1.json",
+        "2": "filter_split_testset_1.json",
+        "3": "filter_pass_testset_1.json",
+        "4": "filter_block_testset_1.json"
+      }
+    }
+  }
+}
Author	SHA1	Message	Date
Soner Tari	dfb783d7ba	Release v0.9.5 Bump version to 0.9.5 Update copyright year to 2024 Update NEWS	3 months ago
Soner Tari	0e8e2c3727	Fix e2e tests with openssl 3	5 months ago
Soner Tari	a9fec35d42	Fix possible segfault in proto smtp in split mode srvdst is disabled in split mode, and srvdst.bev is null	5 months ago
Soner Tari	828c1c3c69	Fix retval of privsep_server_opensock_verify() thanks to @Qbog	11 months ago
Soner Tari	e049f14cc2	Replace deprecated fail_unless() with ck_assert_msg() in unit tests Fixes 1924 warnings such as: warning: too many arguments for format [-Wformat-extra-args] 64 \| fail_unless(!!buf, "no buffer returned");	1 year ago
Soner Tari	adf9a44d22	Fix possible double free of host and serv variables, thanks to @disaykin	1 year ago
Soner Tari	e2f83eaa3a	Fix possible integer overflow, thanks to @disaykin The value of an arithmetic expression p[1] + (p[0] << 8) is subject to overflow due to a failure to cast operands to a larger data type before perfoming arithmetic	1 year ago
Soner Tari	1408e85513	Close fds only once, thanks to @disaykin	1 year ago
Soner Tari	d45e9a2f92	Fix memory leak, thanks to @disaykin	1 year ago
Soner Tari	6a92058b09	Handle ftell error, thanks to @disaykin	1 year ago
Soner Tari	3048f95485	Fix mismatched call arguments, thanks to @disaykin	1 year ago
Soner Tari	94fed777d4	Fix memory leak in case of cert key mismatch, thanks to @disaykin	1 year ago
Soner Tari	d48ba1da9a	Fix file descriptor leak, thanks to @disaykin	1 year ago
Soner Tari	fc7d57469d	Fix double free, thanks to @disaykin Bug found by Svace static analyzer	1 year ago
Soner Tari	8168d32d03	Fix header-size calculation in IPv6 packet mirroring, thanks to @matoro	1 year ago
Soner Tari	0d7db139dd	Handle partial write, thanks to @disaykin	1 year ago
Soner Tari	521a1cc3a0	Handle return value of gmtime(), thanks to @disaykin	1 year ago
Soner Tari	7f201c59de	Fix double free, thanks to @disaykin	1 year ago