]> git.proxmox.com Git - mirror_qemu.git/blame - tests/test-crypto-tlssession.c
projects / mirror_qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
authz: add QAuthZPAM object type for authorizing using PAM
[mirror_qemu.git] / tests / test-crypto-tlssession.c
CommitLineData
d321e1e5
DB		 1/*
2 * Copyright (C) 2015 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 *
18 * Author: Daniel P. Berrange <berrange@redhat.com>
19 */
20
681c28a3 21#include "qemu/osdep.h"
d321e1e5 22
d321e1e5 23#include "crypto-tls-x509-helpers.h"
e1a6dc91 24#include "crypto-tls-psk-helpers.h"
d321e1e5 25#include "crypto/tlscredsx509.h"
e1a6dc91 26#include "crypto/tlscredspsk.h"
d321e1e5
DB		 27#include "crypto/tlssession.h"
28#include "qom/object_interfaces.h"
da34e65c 29#include "qapi/error.h"
d321e1e5
DB		 30#include "qemu/sockets.h"
31#include "qemu/acl.h"
32
33#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
34
35#define WORKDIR "tests/test-crypto-tlssession-work/"
e1a6dc91 36#define PSKFILE WORKDIR "keys.psk"
d321e1e5
DB		 37#define KEYFILE WORKDIR "key-ctx.pem"
38
d321e1e5
DB		 39static ssize_t testWrite(const char *buf, size_t len, void *opaque)
40{
41 int *fd = opaque;
42
43 return write(*fd, buf, len);
44}
45
46static ssize_t testRead(char *buf, size_t len, void *opaque)
47{
48 int *fd = opaque;
49
50 return read(*fd, buf, len);
51}
52
e1a6dc91
RJ		 53static QCryptoTLSCreds *test_tls_creds_psk_create(
54 QCryptoTLSCredsEndpoint endpoint,
68db1318 55 const char *dir)
e1a6dc91 56{
e1a6dc91
RJ		 57 Object *parent = object_get_objects_root();
58 Object *creds = object_new_with_props(
59 TYPE_QCRYPTO_TLS_CREDS_PSK,
60 parent,
61 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
62 "testtlscredsserver" : "testtlscredsclient"),
68db1318 63 &error_abort,
e1a6dc91
RJ		 64 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
65 "server" : "client"),
66 "dir", dir,
67 "priority", "NORMAL",
68 NULL
69 );
e1a6dc91
RJ		 70 return QCRYPTO_TLS_CREDS(creds);
71}
72
73
74static void test_crypto_tls_session_psk(void)
75{
76 QCryptoTLSCreds *clientCreds;
77 QCryptoTLSCreds *serverCreds;
78 QCryptoTLSSession *clientSess = NULL;
79 QCryptoTLSSession *serverSess = NULL;
80 int channel[2];
81 bool clientShake = false;
82 bool serverShake = false;
e1a6dc91
RJ		 83 int ret;
84
85 /* We'll use this for our fake client-server connection */
86 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
87 g_assert(ret == 0);
88
89 /*
90 * We have an evil loop to do the handshake in a single
91 * thread, so we need these non-blocking to avoid deadlock
92 * of ourselves
93 */
94 qemu_set_nonblock(channel[0]);
95 qemu_set_nonblock(channel[1]);
96
97 clientCreds = test_tls_creds_psk_create(
98 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318 99 WORKDIR);
e1a6dc91
RJ		 100 g_assert(clientCreds != NULL);
101
102 serverCreds = test_tls_creds_psk_create(
103 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318 104 WORKDIR);
e1a6dc91
RJ		 105 g_assert(serverCreds != NULL);
106
107 /* Now the real part of the test, setup the sessions */
108 clientSess = qcrypto_tls_session_new(
109 clientCreds, NULL, NULL,
68db1318
DB		 110 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
111 g_assert(clientSess != NULL);
112
e1a6dc91
RJ		 113 serverSess = qcrypto_tls_session_new(
114 serverCreds, NULL, NULL,
68db1318 115 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
e1a6dc91
RJ		 116 g_assert(serverSess != NULL);
117
118 /* For handshake to work, we need to set the I/O callbacks
119 * to read/write over the socketpair
120 */
121 qcrypto_tls_session_set_callbacks(serverSess,
122 testWrite, testRead,
123 &channel[0]);
124 qcrypto_tls_session_set_callbacks(clientSess,
125 testWrite, testRead,
126 &channel[1]);
127
128 /*
129 * Finally we loop around & around doing handshake on each
130 * session until we get an error, or the handshake completes.
131 * This relies on the socketpair being nonblocking to avoid
132 * deadlocking ourselves upon handshake
133 */
134 do {
135 int rv;
136 if (!serverShake) {
137 rv = qcrypto_tls_session_handshake(serverSess,
68db1318 138 &error_abort);
e1a6dc91
RJ		 139 g_assert(rv >= 0);
140 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
141 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
142 serverShake = true;
143 }
144 }
145 if (!clientShake) {
146 rv = qcrypto_tls_session_handshake(clientSess,
68db1318 147 &error_abort);
e1a6dc91
RJ		 148 g_assert(rv >= 0);
149 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
150 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
151 clientShake = true;
152 }
153 }
db0a8c70 154 } while (!clientShake || !serverShake);
e1a6dc91
RJ		 155
156
157 /* Finally make sure the server & client validation is successful. */
68db1318
DB		 158 g_assert(qcrypto_tls_session_check_credentials(serverSess,
159 &error_abort) == 0);
160 g_assert(qcrypto_tls_session_check_credentials(clientSess,
161 &error_abort) == 0);
e1a6dc91
RJ		 162
163 object_unparent(OBJECT(serverCreds));
164 object_unparent(OBJECT(clientCreds));
165
166 qcrypto_tls_session_free(serverSess);
167 qcrypto_tls_session_free(clientSess);
168
169 close(channel[0]);
170 close(channel[1]);
171}
172
173
174struct QCryptoTLSSessionTestData {
175 const char *servercacrt;
176 const char *clientcacrt;
177 const char *servercrt;
178 const char *clientcrt;
179 bool expectServerFail;
180 bool expectClientFail;
181 const char *hostname;
182 const char *const *wildcards;
183};
184
185static QCryptoTLSCreds *test_tls_creds_x509_create(
186 QCryptoTLSCredsEndpoint endpoint,
68db1318 187 const char *certdir)
d321e1e5 188{
d321e1e5
DB		 189 Object *parent = object_get_objects_root();
190 Object *creds = object_new_with_props(
191 TYPE_QCRYPTO_TLS_CREDS_X509,
192 parent,
193 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
194 "testtlscredsserver" : "testtlscredsclient"),
68db1318 195 &error_abort,
d321e1e5
DB		 196 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
197 "server" : "client"),
198 "dir", certdir,
199 "verify-peer", "yes",
057ad0b4 200 "priority", "NORMAL",
d321e1e5
DB		 201 /* We skip initial sanity checks here because we
202 * want to make sure that problems are being
203 * detected at the TLS session validation stage,
204 * and the test-crypto-tlscreds test already
205 * validate the sanity check code.
206 */
207 "sanity-check", "no",
208 NULL
209 );
d321e1e5
DB		 210 return QCRYPTO_TLS_CREDS(creds);
211}
212
213
214/*
215 * This tests validation checking of peer certificates
216 *
217 * This is replicating the checks that are done for an
218 * active TLS session after handshake completes. To
219 * simulate that we create our TLS contexts, skipping
220 * sanity checks. We then get a socketpair, and
221 * initiate a TLS session across them. Finally do
222 * do actual cert validation tests
223 */
e1a6dc91 224static void test_crypto_tls_session_x509(const void *opaque)
d321e1e5
DB		 225{
226 struct QCryptoTLSSessionTestData *data =
227 (struct QCryptoTLSSessionTestData *)opaque;
228 QCryptoTLSCreds *clientCreds;
229 QCryptoTLSCreds *serverCreds;
230 QCryptoTLSSession *clientSess = NULL;
231 QCryptoTLSSession *serverSess = NULL;
232 qemu_acl *acl;
233 const char * const *wildcards;
234 int channel[2];
235 bool clientShake = false;
236 bool serverShake = false;
d321e1e5
DB		 237 int ret;
238
239 /* We'll use this for our fake client-server connection */
240 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
241 g_assert(ret == 0);
242
243 /*
244 * We have an evil loop to do the handshake in a single
245 * thread, so we need these non-blocking to avoid deadlock
246 * of ourselves
247 */
248 qemu_set_nonblock(channel[0]);
249 qemu_set_nonblock(channel[1]);
250
251#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
252#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
253 mkdir(CLIENT_CERT_DIR, 0700);
254 mkdir(SERVER_CERT_DIR, 0700);
255
256 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
257 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
258 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
259
260 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
261 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
262 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
263
264 g_assert(link(data->servercacrt,
265 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
266 g_assert(link(data->servercrt,
267 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
268 g_assert(link(KEYFILE,
269 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
270
271 g_assert(link(data->clientcacrt,
272 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
273 g_assert(link(data->clientcrt,
274 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
275 g_assert(link(KEYFILE,
276 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
277
e1a6dc91 278 clientCreds = test_tls_creds_x509_create(
d321e1e5 279 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318 280 CLIENT_CERT_DIR);
d321e1e5
DB		 281 g_assert(clientCreds != NULL);
282
e1a6dc91 283 serverCreds = test_tls_creds_x509_create(
d321e1e5 284 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318 285 SERVER_CERT_DIR);
d321e1e5
DB		 286 g_assert(serverCreds != NULL);
287
288 acl = qemu_acl_init("tlssessionacl");
289 qemu_acl_reset(acl);
290 wildcards = data->wildcards;
291 while (wildcards && *wildcards) {
292 qemu_acl_append(acl, 0, *wildcards);
293 wildcards++;
294 }
295
296 /* Now the real part of the test, setup the sessions */
297 clientSess = qcrypto_tls_session_new(
298 clientCreds, data->hostname, NULL,
68db1318
DB		 299 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
300 g_assert(clientSess != NULL);
301
d321e1e5
DB		 302 serverSess = qcrypto_tls_session_new(
303 serverCreds, NULL,
304 data->wildcards ? "tlssessionacl" : NULL,
68db1318 305 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
d321e1e5
DB		 306 g_assert(serverSess != NULL);
307
308 /* For handshake to work, we need to set the I/O callbacks
309 * to read/write over the socketpair
310 */
311 qcrypto_tls_session_set_callbacks(serverSess,
312 testWrite, testRead,
313 &channel[0]);
314 qcrypto_tls_session_set_callbacks(clientSess,
315 testWrite, testRead,
316 &channel[1]);
317
318 /*
319 * Finally we loop around & around doing handshake on each
320 * session until we get an error, or the handshake completes.
321 * This relies on the socketpair being nonblocking to avoid
322 * deadlocking ourselves upon handshake
323 */
324 do {
325 int rv;
326 if (!serverShake) {
327 rv = qcrypto_tls_session_handshake(serverSess,
68db1318 328 &error_abort);
d321e1e5
DB		 329 g_assert(rv >= 0);
330 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
331 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
332 serverShake = true;
333 }
334 }
335 if (!clientShake) {
336 rv = qcrypto_tls_session_handshake(clientSess,
68db1318 337 &error_abort);
d321e1e5
DB		 338 g_assert(rv >= 0);
339 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
340 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
341 clientShake = true;
342 }
343 }
db0a8c70 344 } while (!clientShake || !serverShake);
d321e1e5
DB		 345
346
347 /* Finally make sure the server validation does what
348 * we were expecting
349 */
68db1318
DB		 350 if (qcrypto_tls_session_check_credentials(
351 serverSess, data->expectServerFail ? NULL : &error_abort) < 0) {
d321e1e5 352 g_assert(data->expectServerFail);
d321e1e5
DB		 353 } else {
354 g_assert(!data->expectServerFail);
355 }
356
357 /*
358 * And the same for the client validation check
359 */
68db1318
DB		 360 if (qcrypto_tls_session_check_credentials(
361 clientSess, data->expectClientFail ? NULL : &error_abort) < 0) {
d321e1e5 362 g_assert(data->expectClientFail);
d321e1e5
DB		 363 } else {
364 g_assert(!data->expectClientFail);
365 }
366
367 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
368 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
369 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
370
371 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
372 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
373 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
374
375 rmdir(CLIENT_CERT_DIR);
376 rmdir(SERVER_CERT_DIR);
377
378 object_unparent(OBJECT(serverCreds));
379 object_unparent(OBJECT(clientCreds));
380
381 qcrypto_tls_session_free(serverSess);
382 qcrypto_tls_session_free(clientSess);
383
384 close(channel[0]);
385 close(channel[1]);
386}
387
388
389int main(int argc, char **argv)
390{
391 int ret;
392
393 module_call_init(MODULE_INIT_QOM);
394 g_test_init(&argc, &argv, NULL);
395 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
396
397 mkdir(WORKDIR, 0700);
398
399 test_tls_init(KEYFILE);
e1a6dc91
RJ		 400 test_tls_psk_init(PSKFILE);
401
402 /* Simple initial test using Pre-Shared Keys. */
403 g_test_add_func("/qcrypto/tlssession/psk",
404 test_crypto_tls_session_psk);
d321e1e5 405
e1a6dc91 406 /* More complex tests using X.509 certificates. */
d321e1e5
DB		 407# define TEST_SESS_REG(name, caCrt, \
408 serverCrt, clientCrt, \
409 expectServerFail, expectClientFail, \
410 hostname, wildcards) \
411 struct QCryptoTLSSessionTestData name = { \
412 caCrt, caCrt, serverCrt, clientCrt, \
413 expectServerFail, expectClientFail, \
414 hostname, wildcards \
415 }; \
416 g_test_add_data_func("/qcrypto/tlssession/" # name, \
e1a6dc91 417 &name, test_crypto_tls_session_x509); \
d321e1e5
DB		 418
419
420# define TEST_SESS_REG_EXT(name, serverCaCrt, clientCaCrt, \
421 serverCrt, clientCrt, \
422 expectServerFail, expectClientFail, \
423 hostname, wildcards) \
424 struct QCryptoTLSSessionTestData name = { \
425 serverCaCrt, clientCaCrt, serverCrt, clientCrt, \
426 expectServerFail, expectClientFail, \
427 hostname, wildcards \
428 }; \
429 g_test_add_data_func("/qcrypto/tlssession/" # name, \
e1a6dc91 430 &name, test_crypto_tls_session_x509); \
d321e1e5
DB		 431
432 /* A perfect CA, perfect client & perfect server */
433
434 /* Basic:CA:critical */
435 TLS_ROOT_REQ(cacertreq,
436 "UK", "qemu CA", NULL, NULL, NULL, NULL,
437 true, true, true,
438 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
439 false, false, NULL, NULL,
440 0, 0);
441
442 TLS_ROOT_REQ(altcacertreq,
443 "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
444 true, true, true,
445 false, false, 0,
446 false, false, NULL, NULL,
447 0, 0);
448
449 TLS_CERT_REQ(servercertreq, cacertreq,
450 "UK", "qemu.org", NULL, NULL, NULL, NULL,
451 true, true, false,
452 true, true,
453 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
454 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
455 0, 0);
456 TLS_CERT_REQ(clientcertreq, cacertreq,
457 "UK", "qemu", NULL, NULL, NULL, NULL,
458 true, true, false,
459 true, true,
460 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
461 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
462 0, 0);
463
464 TLS_CERT_REQ(clientcertaltreq, altcacertreq,
465 "UK", "qemu", NULL, NULL, NULL, NULL,
466 true, true, false,
467 true, true,
468 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
469 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
470 0, 0);
471
472 TEST_SESS_REG(basicca, cacertreq.filename,
473 servercertreq.filename, clientcertreq.filename,
474 false, false, "qemu.org", NULL);
475 TEST_SESS_REG_EXT(differentca, cacertreq.filename,
476 altcacertreq.filename, servercertreq.filename,
477 clientcertaltreq.filename, true, true, "qemu.org", NULL);
478
479
480 /* When an altname is set, the CN is ignored, so it must be duplicated
481 * as an altname for it to match */
482 TLS_CERT_REQ(servercertalt1req, cacertreq,
483 "UK", "qemu.org", "www.qemu.org", "qemu.org",
484 "192.168.122.1", "fec0::dead:beaf",
485 true, true, false,
486 true, true,
487 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
488 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
489 0, 0);
490 /* This intentionally doesn't replicate */
491 TLS_CERT_REQ(servercertalt2req, cacertreq,
492 "UK", "qemu.org", "www.qemu.org", "wiki.qemu.org",
493 "192.168.122.1", "fec0::dead:beaf",
494 true, true, false,
495 true, true,
496 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
497 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
498 0, 0);
499
500 TEST_SESS_REG(altname1, cacertreq.filename,
501 servercertalt1req.filename, clientcertreq.filename,
502 false, false, "qemu.org", NULL);
503 TEST_SESS_REG(altname2, cacertreq.filename,
504 servercertalt1req.filename, clientcertreq.filename,
505 false, false, "www.qemu.org", NULL);
506 TEST_SESS_REG(altname3, cacertreq.filename,
507 servercertalt1req.filename, clientcertreq.filename,
508 false, true, "wiki.qemu.org", NULL);
509
510 TEST_SESS_REG(altname4, cacertreq.filename,
511 servercertalt2req.filename, clientcertreq.filename,
512 false, true, "qemu.org", NULL);
513 TEST_SESS_REG(altname5, cacertreq.filename,
514 servercertalt2req.filename, clientcertreq.filename,
515 false, false, "www.qemu.org", NULL);
516 TEST_SESS_REG(altname6, cacertreq.filename,
517 servercertalt2req.filename, clientcertreq.filename,
518 false, false, "wiki.qemu.org", NULL);
519
520 const char *const wildcards1[] = {
521 "C=UK,CN=dogfood",
522 NULL,
523 };
524 const char *const wildcards2[] = {
525 "C=UK,CN=qemu",
526 NULL,
527 };
528 const char *const wildcards3[] = {
529 "C=UK,CN=dogfood",
530 "C=UK,CN=qemu",
531 NULL,
532 };
533 const char *const wildcards4[] = {
534 "C=UK,CN=qemustuff",
535 NULL,
536 };
537 const char *const wildcards5[] = {
538 "C=UK,CN=qemu*",
539 NULL,
540 };
541 const char *const wildcards6[] = {
542 "C=UK,CN=*emu*",
543 NULL,
544 };
545
546 TEST_SESS_REG(wildcard1, cacertreq.filename,
547 servercertreq.filename, clientcertreq.filename,
548 true, false, "qemu.org", wildcards1);
549 TEST_SESS_REG(wildcard2, cacertreq.filename,
550 servercertreq.filename, clientcertreq.filename,
551 false, false, "qemu.org", wildcards2);
552 TEST_SESS_REG(wildcard3, cacertreq.filename,
553 servercertreq.filename, clientcertreq.filename,
554 false, false, "qemu.org", wildcards3);
555 TEST_SESS_REG(wildcard4, cacertreq.filename,
556 servercertreq.filename, clientcertreq.filename,
557 true, false, "qemu.org", wildcards4);
558 TEST_SESS_REG(wildcard5, cacertreq.filename,
559 servercertreq.filename, clientcertreq.filename,
560 false, false, "qemu.org", wildcards5);
561 TEST_SESS_REG(wildcard6, cacertreq.filename,
562 servercertreq.filename, clientcertreq.filename,
563 false, false, "qemu.org", wildcards6);
564
565 TLS_ROOT_REQ(cacertrootreq,
566 "UK", "qemu root", NULL, NULL, NULL, NULL,
567 true, true, true,
568 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
569 false, false, NULL, NULL,
570 0, 0);
571 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
572 "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
573 true, true, true,
574 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
575 false, false, NULL, NULL,
576 0, 0);
577 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
578 "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
579 true, true, true,
580 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
581 false, false, NULL, NULL,
582 0, 0);
583 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
584 "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
585 true, true, true,
586 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
587 false, false, NULL, NULL,
588 0, 0);
589 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
590 "UK", "qemu.org", NULL, NULL, NULL, NULL,
591 true, true, false,
592 true, true,
593 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
594 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
595 0, 0);
596 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
597 "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
598 true, true, false,
599 true, true,
600 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
601 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
602 0, 0);
603
604 gnutls_x509_crt_t certchain[] = {
605 cacertrootreq.crt,
606 cacertlevel1areq.crt,
607 cacertlevel1breq.crt,
608 cacertlevel2areq.crt,
609 };
610
611 test_tls_write_cert_chain(WORKDIR "cacertchain-sess.pem",
612 certchain,
613 G_N_ELEMENTS(certchain));
614
615 TEST_SESS_REG(cachain, WORKDIR "cacertchain-sess.pem",
616 servercertlevel3areq.filename, clientcertlevel2breq.filename,
617 false, false, "qemu.org", NULL);
618
619 ret = g_test_run();
620
621 test_tls_discard_cert(&clientcertreq);
622 test_tls_discard_cert(&clientcertaltreq);
623
624 test_tls_discard_cert(&servercertreq);
625 test_tls_discard_cert(&servercertalt1req);
626 test_tls_discard_cert(&servercertalt2req);
627
628 test_tls_discard_cert(&cacertreq);
629 test_tls_discard_cert(&altcacertreq);
630
631 test_tls_discard_cert(&cacertrootreq);
632 test_tls_discard_cert(&cacertlevel1areq);
633 test_tls_discard_cert(&cacertlevel1breq);
634 test_tls_discard_cert(&cacertlevel2areq);
635 test_tls_discard_cert(&servercertlevel3areq);
636 test_tls_discard_cert(&clientcertlevel2breq);
637 unlink(WORKDIR "cacertchain-sess.pem");
638
e1a6dc91 639 test_tls_psk_cleanup(PSKFILE);
d321e1e5
DB		 640 test_tls_cleanup(KEYFILE);
641 rmdir(WORKDIR);
642
643 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
644}
645
646#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
647
648int
649main(void)
650{
651 return EXIT_SUCCESS;
652}
653
654#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
QEMU mirror