]> git.proxmox.com Git - mirror_qemu.git/blame - tests/test-crypto-tlssession.c
projects / mirror_qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
vmstate: check subsection_found is enough
[mirror_qemu.git] / tests / test-crypto-tlssession.c
CommitLineData
d321e1e5
DB		 1/*
2 * Copyright (C) 2015 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 *
18 * Author: Daniel P. Berrange <berrange@redhat.com>
19 */
20
681c28a3 21#include "qemu/osdep.h"
d321e1e5 22
d321e1e5 23#include "crypto-tls-x509-helpers.h"
e1a6dc91 24#include "crypto-tls-psk-helpers.h"
d321e1e5 25#include "crypto/tlscredsx509.h"
e1a6dc91 26#include "crypto/tlscredspsk.h"
d321e1e5
DB		 27#include "crypto/tlssession.h"
28#include "qom/object_interfaces.h"
da34e65c 29#include "qapi/error.h"
d321e1e5 30#include "qemu/sockets.h"
b76806d4 31#include "authz/list.h"
d321e1e5
DB		 32
33#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
34
35#define WORKDIR "tests/test-crypto-tlssession-work/"
e1a6dc91 36#define PSKFILE WORKDIR "keys.psk"
d321e1e5
DB		 37#define KEYFILE WORKDIR "key-ctx.pem"
38
d321e1e5
DB		 39static ssize_t testWrite(const char *buf, size_t len, void *opaque)
40{
41 int *fd = opaque;
42
43 return write(*fd, buf, len);
44}
45
46static ssize_t testRead(char *buf, size_t len, void *opaque)
47{
48 int *fd = opaque;
49
50 return read(*fd, buf, len);
51}
52
e1a6dc91
RJ		 53static QCryptoTLSCreds *test_tls_creds_psk_create(
54 QCryptoTLSCredsEndpoint endpoint,
68db1318 55 const char *dir)
e1a6dc91 56{
e1a6dc91
RJ		 57 Object *parent = object_get_objects_root();
58 Object *creds = object_new_with_props(
59 TYPE_QCRYPTO_TLS_CREDS_PSK,
60 parent,
61 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
62 "testtlscredsserver" : "testtlscredsclient"),
68db1318 63 &error_abort,
e1a6dc91
RJ		 64 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
65 "server" : "client"),
66 "dir", dir,
67 "priority", "NORMAL",
68 NULL
69 );
e1a6dc91
RJ		 70 return QCRYPTO_TLS_CREDS(creds);
71}
72
73
74static void test_crypto_tls_session_psk(void)
75{
76 QCryptoTLSCreds *clientCreds;
77 QCryptoTLSCreds *serverCreds;
78 QCryptoTLSSession *clientSess = NULL;
79 QCryptoTLSSession *serverSess = NULL;
80 int channel[2];
81 bool clientShake = false;
82 bool serverShake = false;
e1a6dc91
RJ		 83 int ret;
84
85 /* We'll use this for our fake client-server connection */
86 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
87 g_assert(ret == 0);
88
89 /*
90 * We have an evil loop to do the handshake in a single
91 * thread, so we need these non-blocking to avoid deadlock
92 * of ourselves
93 */
94 qemu_set_nonblock(channel[0]);
95 qemu_set_nonblock(channel[1]);
96
97 clientCreds = test_tls_creds_psk_create(
98 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318 99 WORKDIR);
e1a6dc91
RJ		 100 g_assert(clientCreds != NULL);
101
102 serverCreds = test_tls_creds_psk_create(
103 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318 104 WORKDIR);
e1a6dc91
RJ		 105 g_assert(serverCreds != NULL);
106
107 /* Now the real part of the test, setup the sessions */
108 clientSess = qcrypto_tls_session_new(
109 clientCreds, NULL, NULL,
68db1318
DB		 110 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
111 g_assert(clientSess != NULL);
112
e1a6dc91
RJ		 113 serverSess = qcrypto_tls_session_new(
114 serverCreds, NULL, NULL,
68db1318 115 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
e1a6dc91
RJ		 116 g_assert(serverSess != NULL);
117
118 /* For handshake to work, we need to set the I/O callbacks
119 * to read/write over the socketpair
120 */
121 qcrypto_tls_session_set_callbacks(serverSess,
122 testWrite, testRead,
123 &channel[0]);
124 qcrypto_tls_session_set_callbacks(clientSess,
125 testWrite, testRead,
126 &channel[1]);
127
128 /*
129 * Finally we loop around & around doing handshake on each
130 * session until we get an error, or the handshake completes.
131 * This relies on the socketpair being nonblocking to avoid
132 * deadlocking ourselves upon handshake
133 */
134 do {
135 int rv;
136 if (!serverShake) {
137 rv = qcrypto_tls_session_handshake(serverSess,
68db1318 138 &error_abort);
e1a6dc91
RJ		 139 g_assert(rv >= 0);
140 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
141 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
142 serverShake = true;
143 }
144 }
145 if (!clientShake) {
146 rv = qcrypto_tls_session_handshake(clientSess,
68db1318 147 &error_abort);
e1a6dc91
RJ		 148 g_assert(rv >= 0);
149 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
150 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
151 clientShake = true;
152 }
153 }
db0a8c70 154 } while (!clientShake || !serverShake);
e1a6dc91
RJ		 155
156
157 /* Finally make sure the server & client validation is successful. */
68db1318
DB		 158 g_assert(qcrypto_tls_session_check_credentials(serverSess,
159 &error_abort) == 0);
160 g_assert(qcrypto_tls_session_check_credentials(clientSess,
161 &error_abort) == 0);
e1a6dc91
RJ		 162
163 object_unparent(OBJECT(serverCreds));
164 object_unparent(OBJECT(clientCreds));
165
166 qcrypto_tls_session_free(serverSess);
167 qcrypto_tls_session_free(clientSess);
168
169 close(channel[0]);
170 close(channel[1]);
171}
172
173
174struct QCryptoTLSSessionTestData {
175 const char *servercacrt;
176 const char *clientcacrt;
177 const char *servercrt;
178 const char *clientcrt;
179 bool expectServerFail;
180 bool expectClientFail;
181 const char *hostname;
182 const char *const *wildcards;
183};
184
185static QCryptoTLSCreds *test_tls_creds_x509_create(
186 QCryptoTLSCredsEndpoint endpoint,
68db1318 187 const char *certdir)
d321e1e5 188{
d321e1e5
DB		 189 Object *parent = object_get_objects_root();
190 Object *creds = object_new_with_props(
191 TYPE_QCRYPTO_TLS_CREDS_X509,
192 parent,
193 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
194 "testtlscredsserver" : "testtlscredsclient"),
68db1318 195 &error_abort,
d321e1e5
DB		 196 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
197 "server" : "client"),
198 "dir", certdir,
199 "verify-peer", "yes",
057ad0b4 200 "priority", "NORMAL",
d321e1e5
DB		 201 /* We skip initial sanity checks here because we
202 * want to make sure that problems are being
203 * detected at the TLS session validation stage,
204 * and the test-crypto-tlscreds test already
205 * validate the sanity check code.
206 */
207 "sanity-check", "no",
208 NULL
209 );
d321e1e5
DB		 210 return QCRYPTO_TLS_CREDS(creds);
211}
212
213
214/*
215 * This tests validation checking of peer certificates
216 *
217 * This is replicating the checks that are done for an
218 * active TLS session after handshake completes. To
219 * simulate that we create our TLS contexts, skipping
220 * sanity checks. We then get a socketpair, and
221 * initiate a TLS session across them. Finally do
222 * do actual cert validation tests
223 */
e1a6dc91 224static void test_crypto_tls_session_x509(const void *opaque)
d321e1e5
DB		 225{
226 struct QCryptoTLSSessionTestData *data =
227 (struct QCryptoTLSSessionTestData *)opaque;
228 QCryptoTLSCreds *clientCreds;
229 QCryptoTLSCreds *serverCreds;
230 QCryptoTLSSession *clientSess = NULL;
231 QCryptoTLSSession *serverSess = NULL;
b76806d4 232 QAuthZList *auth;
d321e1e5
DB		 233 const char * const *wildcards;
234 int channel[2];
235 bool clientShake = false;
236 bool serverShake = false;
d321e1e5
DB		 237 int ret;
238
239 /* We'll use this for our fake client-server connection */
240 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
241 g_assert(ret == 0);
242
243 /*
244 * We have an evil loop to do the handshake in a single
245 * thread, so we need these non-blocking to avoid deadlock
246 * of ourselves
247 */
248 qemu_set_nonblock(channel[0]);
249 qemu_set_nonblock(channel[1]);
250
251#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
252#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
253 mkdir(CLIENT_CERT_DIR, 0700);
254 mkdir(SERVER_CERT_DIR, 0700);
255
256 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
257 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
258 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
259
260 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
261 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
262 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
263
264 g_assert(link(data->servercacrt,
265 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
266 g_assert(link(data->servercrt,
267 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
268 g_assert(link(KEYFILE,
269 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
270
271 g_assert(link(data->clientcacrt,
272 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
273 g_assert(link(data->clientcrt,
274 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
275 g_assert(link(KEYFILE,
276 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
277
e1a6dc91 278 clientCreds = test_tls_creds_x509_create(
d321e1e5 279 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318 280 CLIENT_CERT_DIR);
d321e1e5
DB		 281 g_assert(clientCreds != NULL);
282
e1a6dc91 283 serverCreds = test_tls_creds_x509_create(
d321e1e5 284 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318 285 SERVER_CERT_DIR);
d321e1e5
DB		 286 g_assert(serverCreds != NULL);
287
b76806d4
DB		 288 auth = qauthz_list_new("tlssessionacl",
289 QAUTHZ_LIST_POLICY_DENY,
290 &error_abort);
d321e1e5
DB		 291 wildcards = data->wildcards;
292 while (wildcards && *wildcards) {
b76806d4
DB		 293 qauthz_list_append_rule(auth, *wildcards,
294 QAUTHZ_LIST_POLICY_ALLOW,
295 QAUTHZ_LIST_FORMAT_GLOB,
296 &error_abort);
d321e1e5
DB		 297 wildcards++;
298 }
299
300 /* Now the real part of the test, setup the sessions */
301 clientSess = qcrypto_tls_session_new(
302 clientCreds, data->hostname, NULL,
68db1318
DB		 303 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
304 g_assert(clientSess != NULL);
305
d321e1e5
DB		 306 serverSess = qcrypto_tls_session_new(
307 serverCreds, NULL,
308 data->wildcards ? "tlssessionacl" : NULL,
68db1318 309 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
d321e1e5
DB		 310 g_assert(serverSess != NULL);
311
312 /* For handshake to work, we need to set the I/O callbacks
313 * to read/write over the socketpair
314 */
315 qcrypto_tls_session_set_callbacks(serverSess,
316 testWrite, testRead,
317 &channel[0]);
318 qcrypto_tls_session_set_callbacks(clientSess,
319 testWrite, testRead,
320 &channel[1]);
321
322 /*
323 * Finally we loop around & around doing handshake on each
324 * session until we get an error, or the handshake completes.
325 * This relies on the socketpair being nonblocking to avoid
326 * deadlocking ourselves upon handshake
327 */
328 do {
329 int rv;
330 if (!serverShake) {
331 rv = qcrypto_tls_session_handshake(serverSess,
68db1318 332 &error_abort);
d321e1e5
DB		 333 g_assert(rv >= 0);
334 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
335 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
336 serverShake = true;
337 }
338 }
339 if (!clientShake) {
340 rv = qcrypto_tls_session_handshake(clientSess,
68db1318 341 &error_abort);
d321e1e5
DB		 342 g_assert(rv >= 0);
343 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
344 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
345 clientShake = true;
346 }
347 }
db0a8c70 348 } while (!clientShake || !serverShake);
d321e1e5
DB		 349
350
351 /* Finally make sure the server validation does what
352 * we were expecting
353 */
68db1318
DB		 354 if (qcrypto_tls_session_check_credentials(
355 serverSess, data->expectServerFail ? NULL : &error_abort) < 0) {
d321e1e5 356 g_assert(data->expectServerFail);
d321e1e5
DB		 357 } else {
358 g_assert(!data->expectServerFail);
359 }
360
361 /*
362 * And the same for the client validation check
363 */
68db1318
DB		 364 if (qcrypto_tls_session_check_credentials(
365 clientSess, data->expectClientFail ? NULL : &error_abort) < 0) {
d321e1e5 366 g_assert(data->expectClientFail);
d321e1e5
DB		 367 } else {
368 g_assert(!data->expectClientFail);
369 }
370
371 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
372 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
373 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
374
375 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
376 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
377 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
378
379 rmdir(CLIENT_CERT_DIR);
380 rmdir(SERVER_CERT_DIR);
381
382 object_unparent(OBJECT(serverCreds));
383 object_unparent(OBJECT(clientCreds));
b76806d4 384 object_unparent(OBJECT(auth));
d321e1e5
DB		 385
386 qcrypto_tls_session_free(serverSess);
387 qcrypto_tls_session_free(clientSess);
388
389 close(channel[0]);
390 close(channel[1]);
391}
392
393
394int main(int argc, char **argv)
395{
396 int ret;
397
398 module_call_init(MODULE_INIT_QOM);
399 g_test_init(&argc, &argv, NULL);
400 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
401
402 mkdir(WORKDIR, 0700);
403
404 test_tls_init(KEYFILE);
e1a6dc91
RJ		 405 test_tls_psk_init(PSKFILE);
406
407 /* Simple initial test using Pre-Shared Keys. */
408 g_test_add_func("/qcrypto/tlssession/psk",
409 test_crypto_tls_session_psk);
d321e1e5 410
e1a6dc91 411 /* More complex tests using X.509 certificates. */
d321e1e5
DB		 412# define TEST_SESS_REG(name, caCrt, \
413 serverCrt, clientCrt, \
414 expectServerFail, expectClientFail, \
415 hostname, wildcards) \
416 struct QCryptoTLSSessionTestData name = { \
417 caCrt, caCrt, serverCrt, clientCrt, \
418 expectServerFail, expectClientFail, \
419 hostname, wildcards \
420 }; \
421 g_test_add_data_func("/qcrypto/tlssession/" # name, \
e1a6dc91 422 &name, test_crypto_tls_session_x509); \
d321e1e5
DB		 423
424
425# define TEST_SESS_REG_EXT(name, serverCaCrt, clientCaCrt, \
426 serverCrt, clientCrt, \
427 expectServerFail, expectClientFail, \
428 hostname, wildcards) \
429 struct QCryptoTLSSessionTestData name = { \
430 serverCaCrt, clientCaCrt, serverCrt, clientCrt, \
431 expectServerFail, expectClientFail, \
432 hostname, wildcards \
433 }; \
434 g_test_add_data_func("/qcrypto/tlssession/" # name, \
e1a6dc91 435 &name, test_crypto_tls_session_x509); \
d321e1e5
DB		 436
437 /* A perfect CA, perfect client & perfect server */
438
439 /* Basic:CA:critical */
440 TLS_ROOT_REQ(cacertreq,
441 "UK", "qemu CA", NULL, NULL, NULL, NULL,
442 true, true, true,
443 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
444 false, false, NULL, NULL,
445 0, 0);
446
447 TLS_ROOT_REQ(altcacertreq,
448 "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
449 true, true, true,
450 false, false, 0,
451 false, false, NULL, NULL,
452 0, 0);
453
454 TLS_CERT_REQ(servercertreq, cacertreq,
455 "UK", "qemu.org", NULL, NULL, NULL, NULL,
456 true, true, false,
457 true, true,
458 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
459 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
460 0, 0);
461 TLS_CERT_REQ(clientcertreq, cacertreq,
462 "UK", "qemu", NULL, NULL, NULL, NULL,
463 true, true, false,
464 true, true,
465 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
466 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
467 0, 0);
468
469 TLS_CERT_REQ(clientcertaltreq, altcacertreq,
470 "UK", "qemu", NULL, NULL, NULL, NULL,
471 true, true, false,
472 true, true,
473 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
474 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
475 0, 0);
476
477 TEST_SESS_REG(basicca, cacertreq.filename,
478 servercertreq.filename, clientcertreq.filename,
479 false, false, "qemu.org", NULL);
480 TEST_SESS_REG_EXT(differentca, cacertreq.filename,
481 altcacertreq.filename, servercertreq.filename,
482 clientcertaltreq.filename, true, true, "qemu.org", NULL);
483
484
485 /* When an altname is set, the CN is ignored, so it must be duplicated
486 * as an altname for it to match */
487 TLS_CERT_REQ(servercertalt1req, cacertreq,
488 "UK", "qemu.org", "www.qemu.org", "qemu.org",
489 "192.168.122.1", "fec0::dead:beaf",
490 true, true, false,
491 true, true,
492 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
493 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
494 0, 0);
495 /* This intentionally doesn't replicate */
496 TLS_CERT_REQ(servercertalt2req, cacertreq,
497 "UK", "qemu.org", "www.qemu.org", "wiki.qemu.org",
498 "192.168.122.1", "fec0::dead:beaf",
499 true, true, false,
500 true, true,
501 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
502 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
503 0, 0);
504
505 TEST_SESS_REG(altname1, cacertreq.filename,
506 servercertalt1req.filename, clientcertreq.filename,
507 false, false, "qemu.org", NULL);
508 TEST_SESS_REG(altname2, cacertreq.filename,
509 servercertalt1req.filename, clientcertreq.filename,
510 false, false, "www.qemu.org", NULL);
511 TEST_SESS_REG(altname3, cacertreq.filename,
512 servercertalt1req.filename, clientcertreq.filename,
513 false, true, "wiki.qemu.org", NULL);
514
515 TEST_SESS_REG(altname4, cacertreq.filename,
516 servercertalt2req.filename, clientcertreq.filename,
517 false, true, "qemu.org", NULL);
518 TEST_SESS_REG(altname5, cacertreq.filename,
519 servercertalt2req.filename, clientcertreq.filename,
520 false, false, "www.qemu.org", NULL);
521 TEST_SESS_REG(altname6, cacertreq.filename,
522 servercertalt2req.filename, clientcertreq.filename,
523 false, false, "wiki.qemu.org", NULL);
524
525 const char *const wildcards1[] = {
526 "C=UK,CN=dogfood",
527 NULL,
528 };
529 const char *const wildcards2[] = {
530 "C=UK,CN=qemu",
531 NULL,
532 };
533 const char *const wildcards3[] = {
534 "C=UK,CN=dogfood",
535 "C=UK,CN=qemu",
536 NULL,
537 };
538 const char *const wildcards4[] = {
539 "C=UK,CN=qemustuff",
540 NULL,
541 };
542 const char *const wildcards5[] = {
543 "C=UK,CN=qemu*",
544 NULL,
545 };
546 const char *const wildcards6[] = {
547 "C=UK,CN=*emu*",
548 NULL,
549 };
550
551 TEST_SESS_REG(wildcard1, cacertreq.filename,
552 servercertreq.filename, clientcertreq.filename,
553 true, false, "qemu.org", wildcards1);
554 TEST_SESS_REG(wildcard2, cacertreq.filename,
555 servercertreq.filename, clientcertreq.filename,
556 false, false, "qemu.org", wildcards2);
557 TEST_SESS_REG(wildcard3, cacertreq.filename,
558 servercertreq.filename, clientcertreq.filename,
559 false, false, "qemu.org", wildcards3);
560 TEST_SESS_REG(wildcard4, cacertreq.filename,
561 servercertreq.filename, clientcertreq.filename,
562 true, false, "qemu.org", wildcards4);
563 TEST_SESS_REG(wildcard5, cacertreq.filename,
564 servercertreq.filename, clientcertreq.filename,
565 false, false, "qemu.org", wildcards5);
566 TEST_SESS_REG(wildcard6, cacertreq.filename,
567 servercertreq.filename, clientcertreq.filename,
568 false, false, "qemu.org", wildcards6);
569
570 TLS_ROOT_REQ(cacertrootreq,
571 "UK", "qemu root", NULL, NULL, NULL, NULL,
572 true, true, true,
573 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
574 false, false, NULL, NULL,
575 0, 0);
576 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
577 "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
578 true, true, true,
579 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
580 false, false, NULL, NULL,
581 0, 0);
582 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
583 "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
584 true, true, true,
585 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
586 false, false, NULL, NULL,
587 0, 0);
588 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
589 "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
590 true, true, true,
591 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
592 false, false, NULL, NULL,
593 0, 0);
594 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
595 "UK", "qemu.org", NULL, NULL, NULL, NULL,
596 true, true, false,
597 true, true,
598 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
599 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
600 0, 0);
601 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
602 "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
603 true, true, false,
604 true, true,
605 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
606 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
607 0, 0);
608
609 gnutls_x509_crt_t certchain[] = {
610 cacertrootreq.crt,
611 cacertlevel1areq.crt,
612 cacertlevel1breq.crt,
613 cacertlevel2areq.crt,
614 };
615
616 test_tls_write_cert_chain(WORKDIR "cacertchain-sess.pem",
617 certchain,
618 G_N_ELEMENTS(certchain));
619
620 TEST_SESS_REG(cachain, WORKDIR "cacertchain-sess.pem",
621 servercertlevel3areq.filename, clientcertlevel2breq.filename,
622 false, false, "qemu.org", NULL);
623
624 ret = g_test_run();
625
626 test_tls_discard_cert(&clientcertreq);
627 test_tls_discard_cert(&clientcertaltreq);
628
629 test_tls_discard_cert(&servercertreq);
630 test_tls_discard_cert(&servercertalt1req);
631 test_tls_discard_cert(&servercertalt2req);
632
633 test_tls_discard_cert(&cacertreq);
634 test_tls_discard_cert(&altcacertreq);
635
636 test_tls_discard_cert(&cacertrootreq);
637 test_tls_discard_cert(&cacertlevel1areq);
638 test_tls_discard_cert(&cacertlevel1breq);
639 test_tls_discard_cert(&cacertlevel2areq);
640 test_tls_discard_cert(&servercertlevel3areq);
641 test_tls_discard_cert(&clientcertlevel2breq);
642 unlink(WORKDIR "cacertchain-sess.pem");
643
e1a6dc91 644 test_tls_psk_cleanup(PSKFILE);
d321e1e5
DB		 645 test_tls_cleanup(KEYFILE);
646 rmdir(WORKDIR);
647
648 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
649}
650
651#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
652
653int
654main(void)
655{
656 return EXIT_SUCCESS;
657}
658
659#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
QEMU mirror