[mirror_qemu.git] / tests / unit / test-io-channel-tls.c

/*
 * QEMU I/O channel TLS test
 *
 * Copyright (C) 2015 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see
 * <http://www.gnu.org/licenses/>.
 *
 * Author: Daniel P. Berrange <berrange@redhat.com>
 */


#include "qemu/osdep.h"

#include "crypto-tls-x509-helpers.h"
#include "io/channel-tls.h"
#include "io/channel-socket.h"
#include "io-channel-helpers.h"
#include "crypto/init.h"
#include "crypto/tlscredsx509.h"
#include "qapi/error.h"
#include "qemu/module.h"
#include "authz/list.h"
#include "qom/object_interfaces.h"

#define WORKDIR "tests/test-io-channel-tls-work/"
#define KEYFILE WORKDIR "key-ctx.pem"

struct QIOChannelTLSTestData {
    const char *servercacrt;
    const char *clientcacrt;
    const char *servercrt;
    const char *clientcrt;
    bool expectServerFail;
    bool expectClientFail;
    const char *hostname;
    const char *const *wildcards;
};

struct QIOChannelTLSHandshakeData {
    bool finished;
    bool failed;
};

static void test_tls_handshake_done(QIOTask *task,
                                    gpointer opaque)
{
    struct QIOChannelTLSHandshakeData *data = opaque;

    data->finished = true;
    data->failed = qio_task_propagate_error(task, NULL);
}


static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
                                              const char *certdir)
{
    Object *parent = object_get_objects_root();
    Object *creds = object_new_with_props(
        TYPE_QCRYPTO_TLS_CREDS_X509,
        parent,
        (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
         "testtlscredsserver" : "testtlscredsclient"),
        &error_abort,
        "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
                     "server" : "client"),
        "dir", certdir,
        "verify-peer", "yes",
        "priority", "NORMAL",
        /* We skip initial sanity checks here because we
         * want to make sure that problems are being
         * detected at the TLS session validation stage,
         * and the test-crypto-tlscreds test already
         * validate the sanity check code.
         */
        "sanity-check", "no",
        NULL
        );

    return QCRYPTO_TLS_CREDS(creds);
}


/*
 * This tests validation checking of peer certificates
 *
 * This is replicating the checks that are done for an
 * active TLS session after handshake completes. To
 * simulate that we create our TLS contexts, skipping
 * sanity checks. When then get a socketpair, and
 * initiate a TLS session across them. Finally do
 * do actual cert validation tests
 */
static void test_io_channel_tls(const void *opaque)
{
    struct QIOChannelTLSTestData *data =
        (struct QIOChannelTLSTestData *)opaque;
    QCryptoTLSCreds *clientCreds;
    QCryptoTLSCreds *serverCreds;
    QIOChannelTLS *clientChanTLS;
    QIOChannelTLS *serverChanTLS;
    QIOChannelSocket *clientChanSock;
    QIOChannelSocket *serverChanSock;
    QAuthZList *auth;
    const char * const *wildcards;
    int channel[2];
    struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
    struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
    QIOChannelTest *test;
    GMainContext *mainloop;

    /* We'll use this for our fake client-server connection */
    g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);

#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
    mkdir(CLIENT_CERT_DIR, 0700);
    mkdir(SERVER_CERT_DIR, 0700);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    g_assert(link(data->servercacrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->servercrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
    g_assert(link(KEYFILE,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);

    g_assert(link(data->clientcacrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->clientcrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
    g_assert(link(KEYFILE,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);

    clientCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
        CLIENT_CERT_DIR);
    g_assert(clientCreds != NULL);

    serverCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
        SERVER_CERT_DIR);
    g_assert(serverCreds != NULL);

    auth = qauthz_list_new("channeltlsacl",
                           QAUTHZ_LIST_POLICY_DENY,
                           &error_abort);
    wildcards = data->wildcards;
    while (wildcards && *wildcards) {
        qauthz_list_append_rule(auth, *wildcards,
                                QAUTHZ_LIST_POLICY_ALLOW,
                                QAUTHZ_LIST_FORMAT_GLOB,
                                &error_abort);
        wildcards++;
    }

    clientChanSock = qio_channel_socket_new_fd(
        channel[0], &error_abort);
    g_assert(clientChanSock != NULL);
    serverChanSock = qio_channel_socket_new_fd(
        channel[1], &error_abort);
    g_assert(serverChanSock != NULL);

    /*
     * We have an evil loop to do the handshake in a single
     * thread, so we need these non-blocking to avoid deadlock
     * of ourselves
     */
    qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
    qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);

    /* Now the real part of the test, setup the sessions */
    clientChanTLS = qio_channel_tls_new_client(
        QIO_CHANNEL(clientChanSock), clientCreds,
        data->hostname, &error_abort);
    g_assert(clientChanTLS != NULL);

    serverChanTLS = qio_channel_tls_new_server(
        QIO_CHANNEL(serverChanSock), serverCreds,
        "channeltlsacl", &error_abort);
    g_assert(serverChanTLS != NULL);

    qio_channel_tls_handshake(clientChanTLS,
                              test_tls_handshake_done,
                              &clientHandshake,
                              NULL,
                              NULL);
    qio_channel_tls_handshake(serverChanTLS,
                              test_tls_handshake_done,
                              &serverHandshake,
                              NULL,
                              NULL);

    /*
     * Finally we loop around & around doing handshake on each
     * session until we get an error, or the handshake completes.
     * This relies on the socketpair being nonblocking to avoid
     * deadlocking ourselves upon handshake
     */
    mainloop = g_main_context_default();
    do {
        g_main_context_iteration(mainloop, TRUE);
    } while (!clientHandshake.finished ||
             !serverHandshake.finished);

    g_assert(clientHandshake.failed == data->expectClientFail);
    g_assert(serverHandshake.failed == data->expectServerFail);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, false,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, true,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    rmdir(CLIENT_CERT_DIR);
    rmdir(SERVER_CERT_DIR);

    object_unparent(OBJECT(serverCreds));
    object_unparent(OBJECT(clientCreds));

    object_unref(OBJECT(serverChanTLS));
    object_unref(OBJECT(clientChanTLS));

    object_unref(OBJECT(serverChanSock));
    object_unref(OBJECT(clientChanSock));

    object_unparent(OBJECT(auth));

    close(channel[0]);
    close(channel[1]);
}


int main(int argc, char **argv)
{
    int ret;

    g_assert(qcrypto_init(NULL) == 0);

    module_call_init(MODULE_INIT_QOM);
    g_test_init(&argc, &argv, NULL);
    g_setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);

    mkdir(WORKDIR, 0700);

    test_tls_init(KEYFILE);

# define TEST_CHANNEL(name, caCrt,                                      \
                      serverCrt, clientCrt,                             \
                      expectServerFail, expectClientFail,               \
                      hostname, wildcards)                              \
    struct QIOChannelTLSTestData name = {                               \
        caCrt, caCrt, serverCrt, clientCrt,                             \
        expectServerFail, expectClientFail,                             \
        hostname, wildcards                                             \
    };                                                                  \
    g_test_add_data_func("/qio/channel/tls/" # name,                    \
                         &name, test_io_channel_tls);

    /* A perfect CA, perfect client & perfect server */

    /* Basic:CA:critical */
    TLS_ROOT_REQ(cacertreq,
                 "UK", "qemu CA", NULL, NULL, NULL, NULL,
                 true, true, true,
                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
                 false, false, NULL, NULL,
                 0, 0);
    TLS_CERT_REQ(servercertreq, cacertreq,
                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
                 0, 0);
    TLS_CERT_REQ(clientcertreq, cacertreq,
                 "UK", "qemu", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
                 0, 0);

    const char *const wildcards[] = {
        "C=UK,CN=qemu*",
        NULL,
    };
    TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
                 clientcertreq.filename, false, false,
                 "qemu.org", wildcards);

    ret = g_test_run();

    test_tls_discard_cert(&clientcertreq);
    test_tls_discard_cert(&servercertreq);
    test_tls_discard_cert(&cacertreq);

    test_tls_cleanup(KEYFILE);
    rmdir(WORKDIR);

    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
Commit	Line	Data
ed8ee42c DB	1	/*
	2	* QEMU I/O channel TLS test
	3	*
	4	* Copyright (C) 2015 Red Hat, Inc.
	5	*
	6	* This library is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU Lesser General Public
	8	* License as published by the Free Software Foundation; either
	9	* version 2.1 of the License, or (at your option) any later version.
	10	*
	11	* This library is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* Lesser General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU Lesser General Public
	17	* License along with this library. If not, see
	18	* <http://www.gnu.org/licenses/>.
	19	*
	20	* Author: Daniel P. Berrange <berrange@redhat.com>
	21	*/
	22
	23
681c28a3	24	#include "qemu/osdep.h"
ed8ee42c	25
ed8ee42c DB	26	#include "crypto-tls-x509-helpers.h"
	27	#include "io/channel-tls.h"
	28	#include "io/channel-socket.h"
	29	#include "io-channel-helpers.h"
d26d6b5d	30	#include "crypto/init.h"
ed8ee42c	31	#include "crypto/tlscredsx509.h"
68db1318	32	#include "qapi/error.h"
0b8fa32f	33	#include "qemu/module.h"
b76806d4	34	#include "authz/list.h"
ed8ee42c DB	35	#include "qom/object_interfaces.h"
ed8ee42c DB	36
ed8ee42c DB	37	#define WORKDIR "tests/test-io-channel-tls-work/"
	38	#define KEYFILE WORKDIR "key-ctx.pem"
	39
	40	struct QIOChannelTLSTestData {
	41	const char *servercacrt;
	42	const char *clientcacrt;
	43	const char *servercrt;
	44	const char *clientcrt;
	45	bool expectServerFail;
	46	bool expectClientFail;
	47	const char *hostname;
	48	const char const wildcards;
	49	};
	50
	51	struct QIOChannelTLSHandshakeData {
	52	bool finished;
	53	bool failed;
	54	};
	55
60e705c5	56	static void test_tls_handshake_done(QIOTask *task,
ed8ee42c DB	57	gpointer opaque)
	58	{
	59	struct QIOChannelTLSHandshakeData *data = opaque;
	60
	61	data->finished = true;
60e705c5	62	data->failed = qio_task_propagate_error(task, NULL);
ed8ee42c DB	63	}
	64
	65
	66	static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
68db1318	67	const char *certdir)
ed8ee42c DB	68	{
	69	Object *parent = object_get_objects_root();
	70	Object *creds = object_new_with_props(
	71	TYPE_QCRYPTO_TLS_CREDS_X509,
	72	parent,
	73	(endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	74	"testtlscredsserver" : "testtlscredsclient"),
68db1318	75	&error_abort,
ed8ee42c DB	76	"endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	77	"server" : "client"),
	78	"dir", certdir,
	79	"verify-peer", "yes",
057ad0b4	80	"priority", "NORMAL",
ed8ee42c DB	81	/* We skip initial sanity checks here because we
	82	* want to make sure that problems are being
	83	* detected at the TLS session validation stage,
	84	* and the test-crypto-tlscreds test already
	85	* validate the sanity check code.
	86	*/
	87	"sanity-check", "no",
	88	NULL
	89	);
	90
ed8ee42c DB	91	return QCRYPTO_TLS_CREDS(creds);
	92	}
	93
	94
	95	/*
	96	* This tests validation checking of peer certificates
	97	*
	98	* This is replicating the checks that are done for an
	99	* active TLS session after handshake completes. To
	100	* simulate that we create our TLS contexts, skipping
	101	* sanity checks. When then get a socketpair, and
	102	* initiate a TLS session across them. Finally do
	103	* do actual cert validation tests
	104	*/
	105	static void test_io_channel_tls(const void *opaque)
	106	{
	107	struct QIOChannelTLSTestData *data =
	108	(struct QIOChannelTLSTestData *)opaque;
	109	QCryptoTLSCreds *clientCreds;
	110	QCryptoTLSCreds *serverCreds;
	111	QIOChannelTLS *clientChanTLS;
	112	QIOChannelTLS *serverChanTLS;
	113	QIOChannelSocket *clientChanSock;
	114	QIOChannelSocket *serverChanSock;
b76806d4	115	QAuthZList *auth;
ed8ee42c DB	116	const char * const *wildcards;
	117	int channel[2];
	118	struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
	119	struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
ed8ee42c DB	120	QIOChannelTest *test;
	121	GMainContext *mainloop;
	122
	123	/* We'll use this for our fake client-server connection */
	124	g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
	125
d4adf967 DB	126	#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
d4adf967 DB	127	#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
ed8ee42c DB	128	mkdir(CLIENT_CERT_DIR, 0700);
	129	mkdir(SERVER_CERT_DIR, 0700);
	130
	131	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	132	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
	133	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
	134
	135	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	136	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
	137	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
	138
	139	g_assert(link(data->servercacrt,
	140	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
	141	g_assert(link(data->servercrt,
	142	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
	143	g_assert(link(KEYFILE,
	144	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
	145
	146	g_assert(link(data->clientcacrt,
	147	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
	148	g_assert(link(data->clientcrt,
	149	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
	150	g_assert(link(KEYFILE,
	151	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
	152
	153	clientCreds = test_tls_creds_create(
	154	QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318	155	CLIENT_CERT_DIR);
ed8ee42c DB	156	g_assert(clientCreds != NULL);
	157
	158	serverCreds = test_tls_creds_create(
	159	QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318	160	SERVER_CERT_DIR);
ed8ee42c DB	161	g_assert(serverCreds != NULL);
ed8ee42c DB	162
b76806d4 DB	163	auth = qauthz_list_new("channeltlsacl",
	164	QAUTHZ_LIST_POLICY_DENY,
	165	&error_abort);
ed8ee42c DB	166	wildcards = data->wildcards;
ed8ee42c DB	167	while (wildcards && *wildcards) {
b76806d4 DB	168	qauthz_list_append_rule(auth, *wildcards,
	169	QAUTHZ_LIST_POLICY_ALLOW,
	170	QAUTHZ_LIST_FORMAT_GLOB,
	171	&error_abort);
ed8ee42c DB	172	wildcards++;
	173	}
	174
	175	clientChanSock = qio_channel_socket_new_fd(
68db1318	176	channel[0], &error_abort);
ed8ee42c DB	177	g_assert(clientChanSock != NULL);
ed8ee42c DB	178	serverChanSock = qio_channel_socket_new_fd(
68db1318	179	channel[1], &error_abort);
ed8ee42c DB	180	g_assert(serverChanSock != NULL);
	181
	182	/*
	183	* We have an evil loop to do the handshake in a single
	184	* thread, so we need these non-blocking to avoid deadlock
	185	* of ourselves
	186	*/
	187	qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
	188	qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
	189
	190	/* Now the real part of the test, setup the sessions */
	191	clientChanTLS = qio_channel_tls_new_client(
	192	QIO_CHANNEL(clientChanSock), clientCreds,
68db1318	193	data->hostname, &error_abort);
ed8ee42c DB	194	g_assert(clientChanTLS != NULL);
	195
	196	serverChanTLS = qio_channel_tls_new_server(
	197	QIO_CHANNEL(serverChanSock), serverCreds,
68db1318	198	"channeltlsacl", &error_abort);
ed8ee42c DB	199	g_assert(serverChanTLS != NULL);
	200
	201	qio_channel_tls_handshake(clientChanTLS,
	202	test_tls_handshake_done,
	203	&clientHandshake,
1939ccda	204	NULL,
ed8ee42c DB	205	NULL);
	206	qio_channel_tls_handshake(serverChanTLS,
	207	test_tls_handshake_done,
	208	&serverHandshake,
1939ccda	209	NULL,
ed8ee42c DB	210	NULL);
	211
	212	/*
	213	* Finally we loop around & around doing handshake on each
	214	* session until we get an error, or the handshake completes.
	215	* This relies on the socketpair being nonblocking to avoid
	216	* deadlocking ourselves upon handshake
	217	*/
	218	mainloop = g_main_context_default();
	219	do {
	220	g_main_context_iteration(mainloop, TRUE);
689ed13e	221	} while (!clientHandshake.finished \|\|
ed8ee42c DB	222	!serverHandshake.finished);
	223
	224	g_assert(clientHandshake.failed == data->expectClientFail);
	225	g_assert(serverHandshake.failed == data->expectServerFail);
	226
	227	test = qio_channel_test_new();
	228	qio_channel_test_run_threads(test, false,
	229	QIO_CHANNEL(clientChanTLS),
	230	QIO_CHANNEL(serverChanTLS));
	231	qio_channel_test_validate(test);
	232
	233	test = qio_channel_test_new();
	234	qio_channel_test_run_threads(test, true,
	235	QIO_CHANNEL(clientChanTLS),
	236	QIO_CHANNEL(serverChanTLS));
	237	qio_channel_test_validate(test);
	238
	239	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	240	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
	241	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
	242
	243	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	244	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
	245	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
	246
	247	rmdir(CLIENT_CERT_DIR);
	248	rmdir(SERVER_CERT_DIR);
	249
	250	object_unparent(OBJECT(serverCreds));
	251	object_unparent(OBJECT(clientCreds));
	252
	253	object_unref(OBJECT(serverChanTLS));
	254	object_unref(OBJECT(clientChanTLS));
	255
	256	object_unref(OBJECT(serverChanSock));
	257	object_unref(OBJECT(clientChanSock));
	258
b76806d4 DB	259	object_unparent(OBJECT(auth));
b76806d4 DB	260
ed8ee42c DB	261	close(channel[0]);
	262	close(channel[1]);
	263	}
	264
	265
	266	int main(int argc, char **argv)
	267	{
	268	int ret;
	269
d26d6b5d DB	270	g_assert(qcrypto_init(NULL) == 0);
d26d6b5d DB	271
ed8ee42c DB	272	module_call_init(MODULE_INIT_QOM);
ed8ee42c DB	273	g_test_init(&argc, &argv, NULL);
e468ffdc	274	g_setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
ed8ee42c DB	275
	276	mkdir(WORKDIR, 0700);
	277
	278	test_tls_init(KEYFILE);
	279
	280	# define TEST_CHANNEL(name, caCrt, \
	281	serverCrt, clientCrt, \
	282	expectServerFail, expectClientFail, \
	283	hostname, wildcards) \
	284	struct QIOChannelTLSTestData name = { \
	285	caCrt, caCrt, serverCrt, clientCrt, \
	286	expectServerFail, expectClientFail, \
	287	hostname, wildcards \
	288	}; \
	289	g_test_add_data_func("/qio/channel/tls/" # name, \
	290	&name, test_io_channel_tls);
	291
	292	/* A perfect CA, perfect client & perfect server */
	293
	294	/* Basic:CA:critical */
	295	TLS_ROOT_REQ(cacertreq,
	296	"UK", "qemu CA", NULL, NULL, NULL, NULL,
	297	true, true, true,
	298	true, true, GNUTLS_KEY_KEY_CERT_SIGN,
	299	false, false, NULL, NULL,
	300	0, 0);
	301	TLS_CERT_REQ(servercertreq, cacertreq,
	302	"UK", "qemu.org", NULL, NULL, NULL, NULL,
	303	true, true, false,
	304	true, true,
	305	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	306	true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
	307	0, 0);
	308	TLS_CERT_REQ(clientcertreq, cacertreq,
	309	"UK", "qemu", NULL, NULL, NULL, NULL,
	310	true, true, false,
	311	true, true,
	312	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	313	true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
	314	0, 0);
	315
	316	const char *const wildcards[] = {
	317	"C=UK,CN=qemu*",
	318	NULL,
	319	};
	320	TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
	321	clientcertreq.filename, false, false,
	322	"qemu.org", wildcards);
	323
	324	ret = g_test_run();
	325
	326	test_tls_discard_cert(&clientcertreq);
	327	test_tls_discard_cert(&servercertreq);
	328	test_tls_discard_cert(&cacertreq);
	329
	330	test_tls_cleanup(KEYFILE);
	331	rmdir(WORKDIR);
	332
	333	return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
	334	}