1 /* 2 * Copyright (C) 2015 Red Hat, Inc. 3 * 4 * This library is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU Lesser General Public 6 * License as published by the Free Software Foundation; either 7 * version 2.1 of the License, or (at your option) any later version. 8 * 9 * This library is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 * Lesser General Public License for more details. 13 * 14 * You should have received a copy of the GNU Lesser General Public 15 * License along with this library. If not, see 16 * <http://www.gnu.org/licenses/>. 17 * 18 * Author: Daniel P. Berrange <berrange@redhat.com> 19 */ 20 21 #include "qemu/osdep.h" 22 23 #include "crypto-tls-x509-helpers.h" 24 #include "crypto-tls-psk-helpers.h" 25 #include "crypto/tlscredsx509.h" 26 #include "crypto/tlscredspsk.h" 27 #include "crypto/tlssession.h" 28 #include "qom/object_interfaces.h" 29 #include "qapi/error.h" 30 #include "qemu/sockets.h" 31 #include "qemu/acl.h" 32 33 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT 34 35 #define WORKDIR "tests/test-crypto-tlssession-work/" 36 #define PSKFILE WORKDIR "keys.psk" 37 #define KEYFILE WORKDIR "key-ctx.pem" 38 39 static ssize_t testWrite(const char *buf, size_t len, void *opaque) 40 { 41 int *fd = opaque; 42 43 return write(*fd, buf, len); 44 } 45 46 static ssize_t testRead(char *buf, size_t len, void *opaque) 47 { 48 int *fd = opaque; 49 50 return read(*fd, buf, len); 51 } 52 53 static QCryptoTLSCreds *test_tls_creds_psk_create( 54 QCryptoTLSCredsEndpoint endpoint, 55 const char *dir, 56 Error **errp) 57 { 58 Error *err = NULL; 59 Object *parent = object_get_objects_root(); 60 Object *creds = object_new_with_props( 61 TYPE_QCRYPTO_TLS_CREDS_PSK, 62 parent, 63 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 64 "testtlscredsserver" : "testtlscredsclient"), 65 &err, 66 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 67 "server" : "client"), 68 "dir", dir, 69 "priority", "NORMAL", 70 NULL 71 ); 72 73 if (err) { 74 error_propagate(errp, err); 75 return NULL; 76 } 77 return QCRYPTO_TLS_CREDS(creds); 78 } 79 80 81 static void test_crypto_tls_session_psk(void) 82 { 83 QCryptoTLSCreds *clientCreds; 84 QCryptoTLSCreds *serverCreds; 85 QCryptoTLSSession *clientSess = NULL; 86 QCryptoTLSSession *serverSess = NULL; 87 int channel[2]; 88 bool clientShake = false; 89 bool serverShake = false; 90 Error *err = NULL; 91 int ret; 92 93 /* We'll use this for our fake client-server connection */ 94 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel); 95 g_assert(ret == 0); 96 97 /* 98 * We have an evil loop to do the handshake in a single 99 * thread, so we need these non-blocking to avoid deadlock 100 * of ourselves 101 */ 102 qemu_set_nonblock(channel[0]); 103 qemu_set_nonblock(channel[1]); 104 105 clientCreds = test_tls_creds_psk_create( 106 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, 107 WORKDIR, 108 &err); 109 g_assert(clientCreds != NULL); 110 111 serverCreds = test_tls_creds_psk_create( 112 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, 113 WORKDIR, 114 &err); 115 g_assert(serverCreds != NULL); 116 117 /* Now the real part of the test, setup the sessions */ 118 clientSess = qcrypto_tls_session_new( 119 clientCreds, NULL, NULL, 120 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &err); 121 serverSess = qcrypto_tls_session_new( 122 serverCreds, NULL, NULL, 123 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &err); 124 125 g_assert(clientSess != NULL); 126 g_assert(serverSess != NULL); 127 128 /* For handshake to work, we need to set the I/O callbacks 129 * to read/write over the socketpair 130 */ 131 qcrypto_tls_session_set_callbacks(serverSess, 132 testWrite, testRead, 133 &channel[0]); 134 qcrypto_tls_session_set_callbacks(clientSess, 135 testWrite, testRead, 136 &channel[1]); 137 138 /* 139 * Finally we loop around & around doing handshake on each 140 * session until we get an error, or the handshake completes. 141 * This relies on the socketpair being nonblocking to avoid 142 * deadlocking ourselves upon handshake 143 */ 144 do { 145 int rv; 146 if (!serverShake) { 147 rv = qcrypto_tls_session_handshake(serverSess, 148 &err); 149 g_assert(rv >= 0); 150 if (qcrypto_tls_session_get_handshake_status(serverSess) == 151 QCRYPTO_TLS_HANDSHAKE_COMPLETE) { 152 serverShake = true; 153 } 154 } 155 if (!clientShake) { 156 rv = qcrypto_tls_session_handshake(clientSess, 157 &err); 158 g_assert(rv >= 0); 159 if (qcrypto_tls_session_get_handshake_status(clientSess) == 160 QCRYPTO_TLS_HANDSHAKE_COMPLETE) { 161 clientShake = true; 162 } 163 } 164 } while (!clientShake && !serverShake); 165 166 167 /* Finally make sure the server & client validation is successful. */ 168 g_assert(qcrypto_tls_session_check_credentials(serverSess, &err) == 0); 169 g_assert(qcrypto_tls_session_check_credentials(clientSess, &err) == 0); 170 171 object_unparent(OBJECT(serverCreds)); 172 object_unparent(OBJECT(clientCreds)); 173 174 qcrypto_tls_session_free(serverSess); 175 qcrypto_tls_session_free(clientSess); 176 177 close(channel[0]); 178 close(channel[1]); 179 } 180 181 182 struct QCryptoTLSSessionTestData { 183 const char *servercacrt; 184 const char *clientcacrt; 185 const char *servercrt; 186 const char *clientcrt; 187 bool expectServerFail; 188 bool expectClientFail; 189 const char *hostname; 190 const char *const *wildcards; 191 }; 192 193 static QCryptoTLSCreds *test_tls_creds_x509_create( 194 QCryptoTLSCredsEndpoint endpoint, 195 const char *certdir, 196 Error **errp) 197 { 198 Error *err = NULL; 199 Object *parent = object_get_objects_root(); 200 Object *creds = object_new_with_props( 201 TYPE_QCRYPTO_TLS_CREDS_X509, 202 parent, 203 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 204 "testtlscredsserver" : "testtlscredsclient"), 205 &err, 206 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 207 "server" : "client"), 208 "dir", certdir, 209 "verify-peer", "yes", 210 "priority", "NORMAL", 211 /* We skip initial sanity checks here because we 212 * want to make sure that problems are being 213 * detected at the TLS session validation stage, 214 * and the test-crypto-tlscreds test already 215 * validate the sanity check code. 216 */ 217 "sanity-check", "no", 218 NULL 219 ); 220 221 if (err) { 222 error_propagate(errp, err); 223 return NULL; 224 } 225 return QCRYPTO_TLS_CREDS(creds); 226 } 227 228 229 /* 230 * This tests validation checking of peer certificates 231 * 232 * This is replicating the checks that are done for an 233 * active TLS session after handshake completes. To 234 * simulate that we create our TLS contexts, skipping 235 * sanity checks. We then get a socketpair, and 236 * initiate a TLS session across them. Finally do 237 * do actual cert validation tests 238 */ 239 static void test_crypto_tls_session_x509(const void *opaque) 240 { 241 struct QCryptoTLSSessionTestData *data = 242 (struct QCryptoTLSSessionTestData *)opaque; 243 QCryptoTLSCreds *clientCreds; 244 QCryptoTLSCreds *serverCreds; 245 QCryptoTLSSession *clientSess = NULL; 246 QCryptoTLSSession *serverSess = NULL; 247 qemu_acl *acl; 248 const char * const *wildcards; 249 int channel[2]; 250 bool clientShake = false; 251 bool serverShake = false; 252 Error *err = NULL; 253 int ret; 254 255 /* We'll use this for our fake client-server connection */ 256 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel); 257 g_assert(ret == 0); 258 259 /* 260 * We have an evil loop to do the handshake in a single 261 * thread, so we need these non-blocking to avoid deadlock 262 * of ourselves 263 */ 264 qemu_set_nonblock(channel[0]); 265 qemu_set_nonblock(channel[1]); 266 267 #define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/" 268 #define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/" 269 mkdir(CLIENT_CERT_DIR, 0700); 270 mkdir(SERVER_CERT_DIR, 0700); 271 272 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 273 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); 274 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); 275 276 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 277 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); 278 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); 279 280 g_assert(link(data->servercacrt, 281 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); 282 g_assert(link(data->servercrt, 283 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0); 284 g_assert(link(KEYFILE, 285 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0); 286 287 g_assert(link(data->clientcacrt, 288 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); 289 g_assert(link(data->clientcrt, 290 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0); 291 g_assert(link(KEYFILE, 292 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0); 293 294 clientCreds = test_tls_creds_x509_create( 295 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, 296 CLIENT_CERT_DIR, 297 &err); 298 g_assert(clientCreds != NULL); 299 300 serverCreds = test_tls_creds_x509_create( 301 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, 302 SERVER_CERT_DIR, 303 &err); 304 g_assert(serverCreds != NULL); 305 306 acl = qemu_acl_init("tlssessionacl"); 307 qemu_acl_reset(acl); 308 wildcards = data->wildcards; 309 while (wildcards && *wildcards) { 310 qemu_acl_append(acl, 0, *wildcards); 311 wildcards++; 312 } 313 314 /* Now the real part of the test, setup the sessions */ 315 clientSess = qcrypto_tls_session_new( 316 clientCreds, data->hostname, NULL, 317 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &err); 318 serverSess = qcrypto_tls_session_new( 319 serverCreds, NULL, 320 data->wildcards ? "tlssessionacl" : NULL, 321 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &err); 322 323 g_assert(clientSess != NULL); 324 g_assert(serverSess != NULL); 325 326 /* For handshake to work, we need to set the I/O callbacks 327 * to read/write over the socketpair 328 */ 329 qcrypto_tls_session_set_callbacks(serverSess, 330 testWrite, testRead, 331 &channel[0]); 332 qcrypto_tls_session_set_callbacks(clientSess, 333 testWrite, testRead, 334 &channel[1]); 335 336 /* 337 * Finally we loop around & around doing handshake on each 338 * session until we get an error, or the handshake completes. 339 * This relies on the socketpair being nonblocking to avoid 340 * deadlocking ourselves upon handshake 341 */ 342 do { 343 int rv; 344 if (!serverShake) { 345 rv = qcrypto_tls_session_handshake(serverSess, 346 &err); 347 g_assert(rv >= 0); 348 if (qcrypto_tls_session_get_handshake_status(serverSess) == 349 QCRYPTO_TLS_HANDSHAKE_COMPLETE) { 350 serverShake = true; 351 } 352 } 353 if (!clientShake) { 354 rv = qcrypto_tls_session_handshake(clientSess, 355 &err); 356 g_assert(rv >= 0); 357 if (qcrypto_tls_session_get_handshake_status(clientSess) == 358 QCRYPTO_TLS_HANDSHAKE_COMPLETE) { 359 clientShake = true; 360 } 361 } 362 } while (!clientShake && !serverShake); 363 364 365 /* Finally make sure the server validation does what 366 * we were expecting 367 */ 368 if (qcrypto_tls_session_check_credentials(serverSess, &err) < 0) { 369 g_assert(data->expectServerFail); 370 error_free(err); 371 err = NULL; 372 } else { 373 g_assert(!data->expectServerFail); 374 } 375 376 /* 377 * And the same for the client validation check 378 */ 379 if (qcrypto_tls_session_check_credentials(clientSess, &err) < 0) { 380 g_assert(data->expectClientFail); 381 error_free(err); 382 err = NULL; 383 } else { 384 g_assert(!data->expectClientFail); 385 } 386 387 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 388 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); 389 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); 390 391 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 392 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); 393 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); 394 395 rmdir(CLIENT_CERT_DIR); 396 rmdir(SERVER_CERT_DIR); 397 398 object_unparent(OBJECT(serverCreds)); 399 object_unparent(OBJECT(clientCreds)); 400 401 qcrypto_tls_session_free(serverSess); 402 qcrypto_tls_session_free(clientSess); 403 404 close(channel[0]); 405 close(channel[1]); 406 } 407 408 409 int main(int argc, char **argv) 410 { 411 int ret; 412 413 module_call_init(MODULE_INIT_QOM); 414 g_test_init(&argc, &argv, NULL); 415 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1); 416 417 mkdir(WORKDIR, 0700); 418 419 test_tls_init(KEYFILE); 420 test_tls_psk_init(PSKFILE); 421 422 /* Simple initial test using Pre-Shared Keys. */ 423 g_test_add_func("/qcrypto/tlssession/psk", 424 test_crypto_tls_session_psk); 425 426 /* More complex tests using X.509 certificates. */ 427 # define TEST_SESS_REG(name, caCrt, \ 428 serverCrt, clientCrt, \ 429 expectServerFail, expectClientFail, \ 430 hostname, wildcards) \ 431 struct QCryptoTLSSessionTestData name = { \ 432 caCrt, caCrt, serverCrt, clientCrt, \ 433 expectServerFail, expectClientFail, \ 434 hostname, wildcards \ 435 }; \ 436 g_test_add_data_func("/qcrypto/tlssession/" # name, \ 437 &name, test_crypto_tls_session_x509); \ 438 439 440 # define TEST_SESS_REG_EXT(name, serverCaCrt, clientCaCrt, \ 441 serverCrt, clientCrt, \ 442 expectServerFail, expectClientFail, \ 443 hostname, wildcards) \ 444 struct QCryptoTLSSessionTestData name = { \ 445 serverCaCrt, clientCaCrt, serverCrt, clientCrt, \ 446 expectServerFail, expectClientFail, \ 447 hostname, wildcards \ 448 }; \ 449 g_test_add_data_func("/qcrypto/tlssession/" # name, \ 450 &name, test_crypto_tls_session_x509); \ 451 452 /* A perfect CA, perfect client & perfect server */ 453 454 /* Basic:CA:critical */ 455 TLS_ROOT_REQ(cacertreq, 456 "UK", "qemu CA", NULL, NULL, NULL, NULL, 457 true, true, true, 458 true, true, GNUTLS_KEY_KEY_CERT_SIGN, 459 false, false, NULL, NULL, 460 0, 0); 461 462 TLS_ROOT_REQ(altcacertreq, 463 "UK", "qemu CA 1", NULL, NULL, NULL, NULL, 464 true, true, true, 465 false, false, 0, 466 false, false, NULL, NULL, 467 0, 0); 468 469 TLS_CERT_REQ(servercertreq, cacertreq, 470 "UK", "qemu.org", NULL, NULL, NULL, NULL, 471 true, true, false, 472 true, true, 473 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 474 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 475 0, 0); 476 TLS_CERT_REQ(clientcertreq, cacertreq, 477 "UK", "qemu", NULL, NULL, NULL, NULL, 478 true, true, false, 479 true, true, 480 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 481 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 482 0, 0); 483 484 TLS_CERT_REQ(clientcertaltreq, altcacertreq, 485 "UK", "qemu", NULL, NULL, NULL, NULL, 486 true, true, false, 487 true, true, 488 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 489 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 490 0, 0); 491 492 TEST_SESS_REG(basicca, cacertreq.filename, 493 servercertreq.filename, clientcertreq.filename, 494 false, false, "qemu.org", NULL); 495 TEST_SESS_REG_EXT(differentca, cacertreq.filename, 496 altcacertreq.filename, servercertreq.filename, 497 clientcertaltreq.filename, true, true, "qemu.org", NULL); 498 499 500 /* When an altname is set, the CN is ignored, so it must be duplicated 501 * as an altname for it to match */ 502 TLS_CERT_REQ(servercertalt1req, cacertreq, 503 "UK", "qemu.org", "www.qemu.org", "qemu.org", 504 "192.168.122.1", "fec0::dead:beaf", 505 true, true, false, 506 true, true, 507 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 508 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 509 0, 0); 510 /* This intentionally doesn't replicate */ 511 TLS_CERT_REQ(servercertalt2req, cacertreq, 512 "UK", "qemu.org", "www.qemu.org", "wiki.qemu.org", 513 "192.168.122.1", "fec0::dead:beaf", 514 true, true, false, 515 true, true, 516 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 517 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 518 0, 0); 519 520 TEST_SESS_REG(altname1, cacertreq.filename, 521 servercertalt1req.filename, clientcertreq.filename, 522 false, false, "qemu.org", NULL); 523 TEST_SESS_REG(altname2, cacertreq.filename, 524 servercertalt1req.filename, clientcertreq.filename, 525 false, false, "www.qemu.org", NULL); 526 TEST_SESS_REG(altname3, cacertreq.filename, 527 servercertalt1req.filename, clientcertreq.filename, 528 false, true, "wiki.qemu.org", NULL); 529 530 TEST_SESS_REG(altname4, cacertreq.filename, 531 servercertalt2req.filename, clientcertreq.filename, 532 false, true, "qemu.org", NULL); 533 TEST_SESS_REG(altname5, cacertreq.filename, 534 servercertalt2req.filename, clientcertreq.filename, 535 false, false, "www.qemu.org", NULL); 536 TEST_SESS_REG(altname6, cacertreq.filename, 537 servercertalt2req.filename, clientcertreq.filename, 538 false, false, "wiki.qemu.org", NULL); 539 540 const char *const wildcards1[] = { 541 "C=UK,CN=dogfood", 542 NULL, 543 }; 544 const char *const wildcards2[] = { 545 "C=UK,CN=qemu", 546 NULL, 547 }; 548 const char *const wildcards3[] = { 549 "C=UK,CN=dogfood", 550 "C=UK,CN=qemu", 551 NULL, 552 }; 553 const char *const wildcards4[] = { 554 "C=UK,CN=qemustuff", 555 NULL, 556 }; 557 const char *const wildcards5[] = { 558 "C=UK,CN=qemu*", 559 NULL, 560 }; 561 const char *const wildcards6[] = { 562 "C=UK,CN=*emu*", 563 NULL, 564 }; 565 566 TEST_SESS_REG(wildcard1, cacertreq.filename, 567 servercertreq.filename, clientcertreq.filename, 568 true, false, "qemu.org", wildcards1); 569 TEST_SESS_REG(wildcard2, cacertreq.filename, 570 servercertreq.filename, clientcertreq.filename, 571 false, false, "qemu.org", wildcards2); 572 TEST_SESS_REG(wildcard3, cacertreq.filename, 573 servercertreq.filename, clientcertreq.filename, 574 false, false, "qemu.org", wildcards3); 575 TEST_SESS_REG(wildcard4, cacertreq.filename, 576 servercertreq.filename, clientcertreq.filename, 577 true, false, "qemu.org", wildcards4); 578 TEST_SESS_REG(wildcard5, cacertreq.filename, 579 servercertreq.filename, clientcertreq.filename, 580 false, false, "qemu.org", wildcards5); 581 TEST_SESS_REG(wildcard6, cacertreq.filename, 582 servercertreq.filename, clientcertreq.filename, 583 false, false, "qemu.org", wildcards6); 584 585 TLS_ROOT_REQ(cacertrootreq, 586 "UK", "qemu root", NULL, NULL, NULL, NULL, 587 true, true, true, 588 true, true, GNUTLS_KEY_KEY_CERT_SIGN, 589 false, false, NULL, NULL, 590 0, 0); 591 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq, 592 "UK", "qemu level 1a", NULL, NULL, NULL, NULL, 593 true, true, true, 594 true, true, GNUTLS_KEY_KEY_CERT_SIGN, 595 false, false, NULL, NULL, 596 0, 0); 597 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq, 598 "UK", "qemu level 1b", NULL, NULL, NULL, NULL, 599 true, true, true, 600 true, true, GNUTLS_KEY_KEY_CERT_SIGN, 601 false, false, NULL, NULL, 602 0, 0); 603 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq, 604 "UK", "qemu level 2a", NULL, NULL, NULL, NULL, 605 true, true, true, 606 true, true, GNUTLS_KEY_KEY_CERT_SIGN, 607 false, false, NULL, NULL, 608 0, 0); 609 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, 610 "UK", "qemu.org", NULL, NULL, NULL, NULL, 611 true, true, false, 612 true, true, 613 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 614 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 615 0, 0); 616 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, 617 "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, 618 true, true, false, 619 true, true, 620 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 621 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 622 0, 0); 623 624 gnutls_x509_crt_t certchain[] = { 625 cacertrootreq.crt, 626 cacertlevel1areq.crt, 627 cacertlevel1breq.crt, 628 cacertlevel2areq.crt, 629 }; 630 631 test_tls_write_cert_chain(WORKDIR "cacertchain-sess.pem", 632 certchain, 633 G_N_ELEMENTS(certchain)); 634 635 TEST_SESS_REG(cachain, WORKDIR "cacertchain-sess.pem", 636 servercertlevel3areq.filename, clientcertlevel2breq.filename, 637 false, false, "qemu.org", NULL); 638 639 ret = g_test_run(); 640 641 test_tls_discard_cert(&clientcertreq); 642 test_tls_discard_cert(&clientcertaltreq); 643 644 test_tls_discard_cert(&servercertreq); 645 test_tls_discard_cert(&servercertalt1req); 646 test_tls_discard_cert(&servercertalt2req); 647 648 test_tls_discard_cert(&cacertreq); 649 test_tls_discard_cert(&altcacertreq); 650 651 test_tls_discard_cert(&cacertrootreq); 652 test_tls_discard_cert(&cacertlevel1areq); 653 test_tls_discard_cert(&cacertlevel1breq); 654 test_tls_discard_cert(&cacertlevel2areq); 655 test_tls_discard_cert(&servercertlevel3areq); 656 test_tls_discard_cert(&clientcertlevel2breq); 657 unlink(WORKDIR "cacertchain-sess.pem"); 658 659 test_tls_psk_cleanup(PSKFILE); 660 test_tls_cleanup(KEYFILE); 661 rmdir(WORKDIR); 662 663 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 664 } 665 666 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ 667 668 int 669 main(void) 670 { 671 return EXIT_SUCCESS; 672 } 673 674 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ 675