]> git.proxmox.com Git - mirror_qemu.git/blame - tests/unit/test-crypto-tlssession.c
projects / mirror_qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'pull-aspeed-20220801' of https://github.com/legoater/qemu into staging
[mirror_qemu.git] / tests / unit / test-crypto-tlssession.c
CommitLineData
d321e1e5
DB		 1/*
2 * Copyright (C) 2015 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 *
18 * Author: Daniel P. Berrange <berrange@redhat.com>
19 */
20
681c28a3 21#include "qemu/osdep.h"
d321e1e5 22
d321e1e5 23#include "crypto-tls-x509-helpers.h"
e1a6dc91 24#include "crypto-tls-psk-helpers.h"
d321e1e5 25#include "crypto/tlscredsx509.h"
e1a6dc91 26#include "crypto/tlscredspsk.h"
d321e1e5
DB		 27#include "crypto/tlssession.h"
28#include "qom/object_interfaces.h"
da34e65c 29#include "qapi/error.h"
0b8fa32f 30#include "qemu/module.h"
d321e1e5 31#include "qemu/sockets.h"
b76806d4 32#include "authz/list.h"
d321e1e5 33
d321e1e5 34#define WORKDIR "tests/test-crypto-tlssession-work/"
e1a6dc91 35#define PSKFILE WORKDIR "keys.psk"
d321e1e5
DB		 36#define KEYFILE WORKDIR "key-ctx.pem"
37
d321e1e5
DB		 38static ssize_t testWrite(const char *buf, size_t len, void *opaque)
39{
40 int *fd = opaque;
41
42 return write(*fd, buf, len);
43}
44
45static ssize_t testRead(char *buf, size_t len, void *opaque)
46{
47 int *fd = opaque;
48
49 return read(*fd, buf, len);
50}
51
e1a6dc91
RJ		 52static QCryptoTLSCreds *test_tls_creds_psk_create(
53 QCryptoTLSCredsEndpoint endpoint,
68db1318 54 const char *dir)
e1a6dc91 55{
e1a6dc91
RJ		 56 Object *parent = object_get_objects_root();
57 Object *creds = object_new_with_props(
58 TYPE_QCRYPTO_TLS_CREDS_PSK,
59 parent,
60 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
61 "testtlscredsserver" : "testtlscredsclient"),
68db1318 62 &error_abort,
e1a6dc91
RJ		 63 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
64 "server" : "client"),
65 "dir", dir,
66 "priority", "NORMAL",
67 NULL
68 );
e1a6dc91
RJ		 69 return QCRYPTO_TLS_CREDS(creds);
70}
71
72
73static void test_crypto_tls_session_psk(void)
74{
75 QCryptoTLSCreds *clientCreds;
76 QCryptoTLSCreds *serverCreds;
77 QCryptoTLSSession *clientSess = NULL;
78 QCryptoTLSSession *serverSess = NULL;
79 int channel[2];
80 bool clientShake = false;
81 bool serverShake = false;
e1a6dc91
RJ		 82 int ret;
83
84 /* We'll use this for our fake client-server connection */
85 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
86 g_assert(ret == 0);
87
88 /*
89 * We have an evil loop to do the handshake in a single
90 * thread, so we need these non-blocking to avoid deadlock
91 * of ourselves
92 */
ff5927ba
MAL		 93 qemu_socket_set_nonblock(channel[0]);
94 qemu_socket_set_nonblock(channel[1]);
e1a6dc91
RJ		 95
96 clientCreds = test_tls_creds_psk_create(
97 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318 98 WORKDIR);
e1a6dc91
RJ		 99 g_assert(clientCreds != NULL);
100
101 serverCreds = test_tls_creds_psk_create(
102 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318 103 WORKDIR);
e1a6dc91
RJ		 104 g_assert(serverCreds != NULL);
105
106 /* Now the real part of the test, setup the sessions */
107 clientSess = qcrypto_tls_session_new(
108 clientCreds, NULL, NULL,
68db1318
DB		 109 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
110 g_assert(clientSess != NULL);
111
e1a6dc91
RJ		 112 serverSess = qcrypto_tls_session_new(
113 serverCreds, NULL, NULL,
68db1318 114 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
e1a6dc91
RJ		 115 g_assert(serverSess != NULL);
116
117 /* For handshake to work, we need to set the I/O callbacks
118 * to read/write over the socketpair
119 */
120 qcrypto_tls_session_set_callbacks(serverSess,
121 testWrite, testRead,
122 &channel[0]);
123 qcrypto_tls_session_set_callbacks(clientSess,
124 testWrite, testRead,
125 &channel[1]);
126
127 /*
128 * Finally we loop around & around doing handshake on each
129 * session until we get an error, or the handshake completes.
130 * This relies on the socketpair being nonblocking to avoid
131 * deadlocking ourselves upon handshake
132 */
133 do {
134 int rv;
135 if (!serverShake) {
136 rv = qcrypto_tls_session_handshake(serverSess,
68db1318 137 &error_abort);
e1a6dc91
RJ		 138 g_assert(rv >= 0);
139 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
140 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
141 serverShake = true;
142 }
143 }
144 if (!clientShake) {
145 rv = qcrypto_tls_session_handshake(clientSess,
68db1318 146 &error_abort);
e1a6dc91
RJ		 147 g_assert(rv >= 0);
148 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
149 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
150 clientShake = true;
151 }
152 }
db0a8c70 153 } while (!clientShake || !serverShake);
e1a6dc91
RJ		 154
155
156 /* Finally make sure the server & client validation is successful. */
68db1318
DB		 157 g_assert(qcrypto_tls_session_check_credentials(serverSess,
158 &error_abort) == 0);
159 g_assert(qcrypto_tls_session_check_credentials(clientSess,
160 &error_abort) == 0);
e1a6dc91
RJ		 161
162 object_unparent(OBJECT(serverCreds));
163 object_unparent(OBJECT(clientCreds));
164
165 qcrypto_tls_session_free(serverSess);
166 qcrypto_tls_session_free(clientSess);
167
168 close(channel[0]);
169 close(channel[1]);
170}
171
172
173struct QCryptoTLSSessionTestData {
174 const char *servercacrt;
175 const char *clientcacrt;
176 const char *servercrt;
177 const char *clientcrt;
178 bool expectServerFail;
179 bool expectClientFail;
180 const char *hostname;
181 const char *const *wildcards;
182};
183
184static QCryptoTLSCreds *test_tls_creds_x509_create(
185 QCryptoTLSCredsEndpoint endpoint,
68db1318 186 const char *certdir)
d321e1e5 187{
d321e1e5
DB		 188 Object *parent = object_get_objects_root();
189 Object *creds = object_new_with_props(
190 TYPE_QCRYPTO_TLS_CREDS_X509,
191 parent,
192 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
193 "testtlscredsserver" : "testtlscredsclient"),
68db1318 194 &error_abort,
d321e1e5
DB		 195 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
196 "server" : "client"),
197 "dir", certdir,
198 "verify-peer", "yes",
057ad0b4 199 "priority", "NORMAL",
d321e1e5
DB		 200 /* We skip initial sanity checks here because we
201 * want to make sure that problems are being
202 * detected at the TLS session validation stage,
203 * and the test-crypto-tlscreds test already
204 * validate the sanity check code.
205 */
206 "sanity-check", "no",
207 NULL
208 );
d321e1e5
DB		 209 return QCRYPTO_TLS_CREDS(creds);
210}
211
212
213/*
214 * This tests validation checking of peer certificates
215 *
216 * This is replicating the checks that are done for an
217 * active TLS session after handshake completes. To
218 * simulate that we create our TLS contexts, skipping
219 * sanity checks. We then get a socketpair, and
220 * initiate a TLS session across them. Finally do
221 * do actual cert validation tests
222 */
e1a6dc91 223static void test_crypto_tls_session_x509(const void *opaque)
d321e1e5
DB		 224{
225 struct QCryptoTLSSessionTestData *data =
226 (struct QCryptoTLSSessionTestData *)opaque;
227 QCryptoTLSCreds *clientCreds;
228 QCryptoTLSCreds *serverCreds;
229 QCryptoTLSSession *clientSess = NULL;
230 QCryptoTLSSession *serverSess = NULL;
b76806d4 231 QAuthZList *auth;
d321e1e5
DB		 232 const char * const *wildcards;
233 int channel[2];
234 bool clientShake = false;
235 bool serverShake = false;
d321e1e5
DB		 236 int ret;
237
238 /* We'll use this for our fake client-server connection */
239 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
240 g_assert(ret == 0);
241
242 /*
243 * We have an evil loop to do the handshake in a single
244 * thread, so we need these non-blocking to avoid deadlock
245 * of ourselves
246 */
ff5927ba
MAL		 247 qemu_socket_set_nonblock(channel[0]);
248 qemu_socket_set_nonblock(channel[1]);
d321e1e5
DB		 249
250#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
251#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
252 mkdir(CLIENT_CERT_DIR, 0700);
253 mkdir(SERVER_CERT_DIR, 0700);
254
255 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
256 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
257 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
258
259 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
260 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
261 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
262
263 g_assert(link(data->servercacrt,
264 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
265 g_assert(link(data->servercrt,
266 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
267 g_assert(link(KEYFILE,
268 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
269
270 g_assert(link(data->clientcacrt,
271 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
272 g_assert(link(data->clientcrt,
273 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
274 g_assert(link(KEYFILE,
275 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
276
e1a6dc91 277 clientCreds = test_tls_creds_x509_create(
d321e1e5 278 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318 279 CLIENT_CERT_DIR);
d321e1e5
DB		 280 g_assert(clientCreds != NULL);
281
e1a6dc91 282 serverCreds = test_tls_creds_x509_create(
d321e1e5 283 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318 284 SERVER_CERT_DIR);
d321e1e5
DB		 285 g_assert(serverCreds != NULL);
286
b76806d4
DB		 287 auth = qauthz_list_new("tlssessionacl",
288 QAUTHZ_LIST_POLICY_DENY,
289 &error_abort);
d321e1e5
DB		 290 wildcards = data->wildcards;
291 while (wildcards && *wildcards) {
b76806d4
DB		 292 qauthz_list_append_rule(auth, *wildcards,
293 QAUTHZ_LIST_POLICY_ALLOW,
294 QAUTHZ_LIST_FORMAT_GLOB,
295 &error_abort);
d321e1e5
DB		 296 wildcards++;
297 }
298
299 /* Now the real part of the test, setup the sessions */
300 clientSess = qcrypto_tls_session_new(
301 clientCreds, data->hostname, NULL,
68db1318
DB		 302 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
303 g_assert(clientSess != NULL);
304
d321e1e5
DB		 305 serverSess = qcrypto_tls_session_new(
306 serverCreds, NULL,
307 data->wildcards ? "tlssessionacl" : NULL,
68db1318 308 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
d321e1e5
DB		 309 g_assert(serverSess != NULL);
310
311 /* For handshake to work, we need to set the I/O callbacks
312 * to read/write over the socketpair
313 */
314 qcrypto_tls_session_set_callbacks(serverSess,
315 testWrite, testRead,
316 &channel[0]);
317 qcrypto_tls_session_set_callbacks(clientSess,
318 testWrite, testRead,
319 &channel[1]);
320
321 /*
322 * Finally we loop around & around doing handshake on each
323 * session until we get an error, or the handshake completes.
324 * This relies on the socketpair being nonblocking to avoid
325 * deadlocking ourselves upon handshake
326 */
327 do {
328 int rv;
329 if (!serverShake) {
330 rv = qcrypto_tls_session_handshake(serverSess,
68db1318 331 &error_abort);
d321e1e5
DB		 332 g_assert(rv >= 0);
333 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
334 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
335 serverShake = true;
336 }
337 }
338 if (!clientShake) {
339 rv = qcrypto_tls_session_handshake(clientSess,
68db1318 340 &error_abort);
d321e1e5
DB		 341 g_assert(rv >= 0);
342 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
343 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
344 clientShake = true;
345 }
346 }
db0a8c70 347 } while (!clientShake || !serverShake);
d321e1e5
DB		 348
349
350 /* Finally make sure the server validation does what
351 * we were expecting
352 */
68db1318
DB		 353 if (qcrypto_tls_session_check_credentials(
354 serverSess, data->expectServerFail ? NULL : &error_abort) < 0) {
d321e1e5 355 g_assert(data->expectServerFail);
d321e1e5
DB		 356 } else {
357 g_assert(!data->expectServerFail);
358 }
359
360 /*
361 * And the same for the client validation check
362 */
68db1318
DB		 363 if (qcrypto_tls_session_check_credentials(
364 clientSess, data->expectClientFail ? NULL : &error_abort) < 0) {
d321e1e5 365 g_assert(data->expectClientFail);
d321e1e5
DB		 366 } else {
367 g_assert(!data->expectClientFail);
368 }
369
370 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
371 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
372 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
373
374 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
375 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
376 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
377
378 rmdir(CLIENT_CERT_DIR);
379 rmdir(SERVER_CERT_DIR);
380
381 object_unparent(OBJECT(serverCreds));
382 object_unparent(OBJECT(clientCreds));
b76806d4 383 object_unparent(OBJECT(auth));
d321e1e5
DB		 384
385 qcrypto_tls_session_free(serverSess);
386 qcrypto_tls_session_free(clientSess);
387
388 close(channel[0]);
389 close(channel[1]);
390}
391
392
393int main(int argc, char **argv)
394{
395 int ret;
396
397 module_call_init(MODULE_INIT_QOM);
398 g_test_init(&argc, &argv, NULL);
e468ffdc 399 g_setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
d321e1e5
DB		 400
401 mkdir(WORKDIR, 0700);
402
403 test_tls_init(KEYFILE);
e1a6dc91
RJ		 404 test_tls_psk_init(PSKFILE);
405
406 /* Simple initial test using Pre-Shared Keys. */
407 g_test_add_func("/qcrypto/tlssession/psk",
408 test_crypto_tls_session_psk);
d321e1e5 409
e1a6dc91 410 /* More complex tests using X.509 certificates. */
d321e1e5
DB		 411# define TEST_SESS_REG(name, caCrt, \
412 serverCrt, clientCrt, \
413 expectServerFail, expectClientFail, \
414 hostname, wildcards) \
415 struct QCryptoTLSSessionTestData name = { \
416 caCrt, caCrt, serverCrt, clientCrt, \
417 expectServerFail, expectClientFail, \
418 hostname, wildcards \
419 }; \
420 g_test_add_data_func("/qcrypto/tlssession/" # name, \
e1a6dc91 421 &name, test_crypto_tls_session_x509); \
d321e1e5
DB		 422
423
424# define TEST_SESS_REG_EXT(name, serverCaCrt, clientCaCrt, \
425 serverCrt, clientCrt, \
426 expectServerFail, expectClientFail, \
427 hostname, wildcards) \
428 struct QCryptoTLSSessionTestData name = { \
429 serverCaCrt, clientCaCrt, serverCrt, clientCrt, \
430 expectServerFail, expectClientFail, \
431 hostname, wildcards \
432 }; \
433 g_test_add_data_func("/qcrypto/tlssession/" # name, \
e1a6dc91 434 &name, test_crypto_tls_session_x509); \
d321e1e5
DB		 435
436 /* A perfect CA, perfect client & perfect server */
437
438 /* Basic:CA:critical */
439 TLS_ROOT_REQ(cacertreq,
440 "UK", "qemu CA", NULL, NULL, NULL, NULL,
441 true, true, true,
442 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
443 false, false, NULL, NULL,
444 0, 0);
445
446 TLS_ROOT_REQ(altcacertreq,
447 "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
448 true, true, true,
449 false, false, 0,
450 false, false, NULL, NULL,
451 0, 0);
452
453 TLS_CERT_REQ(servercertreq, cacertreq,
454 "UK", "qemu.org", NULL, NULL, NULL, NULL,
455 true, true, false,
456 true, true,
457 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
458 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
459 0, 0);
460 TLS_CERT_REQ(clientcertreq, cacertreq,
461 "UK", "qemu", NULL, NULL, NULL, NULL,
462 true, true, false,
463 true, true,
464 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
465 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
466 0, 0);
467
468 TLS_CERT_REQ(clientcertaltreq, altcacertreq,
469 "UK", "qemu", NULL, NULL, NULL, NULL,
470 true, true, false,
471 true, true,
472 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
473 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
474 0, 0);
475
476 TEST_SESS_REG(basicca, cacertreq.filename,
477 servercertreq.filename, clientcertreq.filename,
478 false, false, "qemu.org", NULL);
479 TEST_SESS_REG_EXT(differentca, cacertreq.filename,
480 altcacertreq.filename, servercertreq.filename,
481 clientcertaltreq.filename, true, true, "qemu.org", NULL);
482
483
484 /* When an altname is set, the CN is ignored, so it must be duplicated
485 * as an altname for it to match */
486 TLS_CERT_REQ(servercertalt1req, cacertreq,
487 "UK", "qemu.org", "www.qemu.org", "qemu.org",
488 "192.168.122.1", "fec0::dead:beaf",
489 true, true, false,
490 true, true,
491 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
492 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
493 0, 0);
494 /* This intentionally doesn't replicate */
495 TLS_CERT_REQ(servercertalt2req, cacertreq,
496 "UK", "qemu.org", "www.qemu.org", "wiki.qemu.org",
497 "192.168.122.1", "fec0::dead:beaf",
498 true, true, false,
499 true, true,
500 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
501 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
502 0, 0);
503
504 TEST_SESS_REG(altname1, cacertreq.filename,
505 servercertalt1req.filename, clientcertreq.filename,
506 false, false, "qemu.org", NULL);
507 TEST_SESS_REG(altname2, cacertreq.filename,
508 servercertalt1req.filename, clientcertreq.filename,
509 false, false, "www.qemu.org", NULL);
510 TEST_SESS_REG(altname3, cacertreq.filename,
511 servercertalt1req.filename, clientcertreq.filename,
512 false, true, "wiki.qemu.org", NULL);
513
514 TEST_SESS_REG(altname4, cacertreq.filename,
c98ce274
DB		 515 servercertalt1req.filename, clientcertreq.filename,
516 false, false, "192.168.122.1", NULL);
517 TEST_SESS_REG(altname5, cacertreq.filename,
518 servercertalt1req.filename, clientcertreq.filename,
519 false, false, "fec0::dead:beaf", NULL);
520
521 TEST_SESS_REG(altname6, cacertreq.filename,
d321e1e5
DB		 522 servercertalt2req.filename, clientcertreq.filename,
523 false, true, "qemu.org", NULL);
c98ce274 524 TEST_SESS_REG(altname7, cacertreq.filename,
d321e1e5
DB		 525 servercertalt2req.filename, clientcertreq.filename,
526 false, false, "www.qemu.org", NULL);
c98ce274 527 TEST_SESS_REG(altname8, cacertreq.filename,
d321e1e5
DB		 528 servercertalt2req.filename, clientcertreq.filename,
529 false, false, "wiki.qemu.org", NULL);
530
531 const char *const wildcards1[] = {
532 "C=UK,CN=dogfood",
533 NULL,
534 };
535 const char *const wildcards2[] = {
536 "C=UK,CN=qemu",
537 NULL,
538 };
539 const char *const wildcards3[] = {
540 "C=UK,CN=dogfood",
541 "C=UK,CN=qemu",
542 NULL,
543 };
544 const char *const wildcards4[] = {
545 "C=UK,CN=qemustuff",
546 NULL,
547 };
548 const char *const wildcards5[] = {
549 "C=UK,CN=qemu*",
550 NULL,
551 };
552 const char *const wildcards6[] = {
553 "C=UK,CN=*emu*",
554 NULL,
555 };
556
557 TEST_SESS_REG(wildcard1, cacertreq.filename,
558 servercertreq.filename, clientcertreq.filename,
559 true, false, "qemu.org", wildcards1);
560 TEST_SESS_REG(wildcard2, cacertreq.filename,
561 servercertreq.filename, clientcertreq.filename,
562 false, false, "qemu.org", wildcards2);
563 TEST_SESS_REG(wildcard3, cacertreq.filename,
564 servercertreq.filename, clientcertreq.filename,
565 false, false, "qemu.org", wildcards3);
566 TEST_SESS_REG(wildcard4, cacertreq.filename,
567 servercertreq.filename, clientcertreq.filename,
568 true, false, "qemu.org", wildcards4);
569 TEST_SESS_REG(wildcard5, cacertreq.filename,
570 servercertreq.filename, clientcertreq.filename,
571 false, false, "qemu.org", wildcards5);
572 TEST_SESS_REG(wildcard6, cacertreq.filename,
573 servercertreq.filename, clientcertreq.filename,
574 false, false, "qemu.org", wildcards6);
575
576 TLS_ROOT_REQ(cacertrootreq,
577 "UK", "qemu root", NULL, NULL, NULL, NULL,
578 true, true, true,
579 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
580 false, false, NULL, NULL,
581 0, 0);
582 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
583 "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
584 true, true, true,
585 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
586 false, false, NULL, NULL,
587 0, 0);
588 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
589 "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
590 true, true, true,
591 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
592 false, false, NULL, NULL,
593 0, 0);
594 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
595 "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
596 true, true, true,
597 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
598 false, false, NULL, NULL,
599 0, 0);
600 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
601 "UK", "qemu.org", NULL, NULL, NULL, NULL,
602 true, true, false,
603 true, true,
604 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
605 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
606 0, 0);
607 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
608 "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
609 true, true, false,
610 true, true,
611 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
612 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
613 0, 0);
614
615 gnutls_x509_crt_t certchain[] = {
616 cacertrootreq.crt,
617 cacertlevel1areq.crt,
618 cacertlevel1breq.crt,
619 cacertlevel2areq.crt,
620 };
621
622 test_tls_write_cert_chain(WORKDIR "cacertchain-sess.pem",
623 certchain,
624 G_N_ELEMENTS(certchain));
625
626 TEST_SESS_REG(cachain, WORKDIR "cacertchain-sess.pem",
627 servercertlevel3areq.filename, clientcertlevel2breq.filename,
628 false, false, "qemu.org", NULL);
629
630 ret = g_test_run();
631
632 test_tls_discard_cert(&clientcertreq);
633 test_tls_discard_cert(&clientcertaltreq);
634
635 test_tls_discard_cert(&servercertreq);
636 test_tls_discard_cert(&servercertalt1req);
637 test_tls_discard_cert(&servercertalt2req);
638
639 test_tls_discard_cert(&cacertreq);
640 test_tls_discard_cert(&altcacertreq);
641
642 test_tls_discard_cert(&cacertrootreq);
643 test_tls_discard_cert(&cacertlevel1areq);
644 test_tls_discard_cert(&cacertlevel1breq);
645 test_tls_discard_cert(&cacertlevel2areq);
646 test_tls_discard_cert(&servercertlevel3areq);
647 test_tls_discard_cert(&clientcertlevel2breq);
648 unlink(WORKDIR "cacertchain-sess.pem");
649
e1a6dc91 650 test_tls_psk_cleanup(PSKFILE);
d321e1e5
DB		 651 test_tls_cleanup(KEYFILE);
652 rmdir(WORKDIR);
653
654 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
655}
QEMU mirror