1ed8ee42cSDaniel P. Berrange /* 2ed8ee42cSDaniel P. Berrange * QEMU I/O channel TLS test 3ed8ee42cSDaniel P. Berrange * 4ed8ee42cSDaniel P. Berrange * Copyright (C) 2015 Red Hat, Inc. 5ed8ee42cSDaniel P. Berrange * 6ed8ee42cSDaniel P. Berrange * This library is free software; you can redistribute it and/or 7ed8ee42cSDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 8ed8ee42cSDaniel P. Berrange * License as published by the Free Software Foundation; either 9ed8ee42cSDaniel P. Berrange * version 2.1 of the License, or (at your option) any later version. 10ed8ee42cSDaniel P. Berrange * 11ed8ee42cSDaniel P. Berrange * This library is distributed in the hope that it will be useful, 12ed8ee42cSDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 13ed8ee42cSDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14ed8ee42cSDaniel P. Berrange * Lesser General Public License for more details. 15ed8ee42cSDaniel P. Berrange * 16ed8ee42cSDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 17ed8ee42cSDaniel P. Berrange * License along with this library. If not, see 18ed8ee42cSDaniel P. Berrange * <http://www.gnu.org/licenses/>. 19ed8ee42cSDaniel P. Berrange * 20ed8ee42cSDaniel P. Berrange * Author: Daniel P. Berrange <berrange@redhat.com> 21ed8ee42cSDaniel P. Berrange */ 22ed8ee42cSDaniel P. Berrange 23ed8ee42cSDaniel P. Berrange 24681c28a3SPeter Maydell #include "qemu/osdep.h" 25ed8ee42cSDaniel P. Berrange 26ed8ee42cSDaniel P. Berrange #include "crypto-tls-x509-helpers.h" 27ed8ee42cSDaniel P. Berrange #include "io/channel-tls.h" 28ed8ee42cSDaniel P. Berrange #include "io/channel-socket.h" 29ed8ee42cSDaniel P. Berrange #include "io-channel-helpers.h" 30d26d6b5dSDaniel P. Berrange #include "crypto/init.h" 31ed8ee42cSDaniel P. Berrange #include "crypto/tlscredsx509.h" 3268db1318SDaniel P. Berrangé #include "qapi/error.h" 33*0b8fa32fSMarkus Armbruster #include "qemu/module.h" 34b76806d4SDaniel P. Berrange #include "authz/list.h" 35ed8ee42cSDaniel P. Berrange #include "qom/object_interfaces.h" 36ed8ee42cSDaniel P. Berrange 37ed8ee42cSDaniel P. Berrange #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT 38ed8ee42cSDaniel P. Berrange 39ed8ee42cSDaniel P. Berrange #define WORKDIR "tests/test-io-channel-tls-work/" 40ed8ee42cSDaniel P. Berrange #define KEYFILE WORKDIR "key-ctx.pem" 41ed8ee42cSDaniel P. Berrange 42ed8ee42cSDaniel P. Berrange struct QIOChannelTLSTestData { 43ed8ee42cSDaniel P. Berrange const char *servercacrt; 44ed8ee42cSDaniel P. Berrange const char *clientcacrt; 45ed8ee42cSDaniel P. Berrange const char *servercrt; 46ed8ee42cSDaniel P. Berrange const char *clientcrt; 47ed8ee42cSDaniel P. Berrange bool expectServerFail; 48ed8ee42cSDaniel P. Berrange bool expectClientFail; 49ed8ee42cSDaniel P. Berrange const char *hostname; 50ed8ee42cSDaniel P. Berrange const char *const *wildcards; 51ed8ee42cSDaniel P. Berrange }; 52ed8ee42cSDaniel P. Berrange 53ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData { 54ed8ee42cSDaniel P. Berrange bool finished; 55ed8ee42cSDaniel P. Berrange bool failed; 56ed8ee42cSDaniel P. Berrange }; 57ed8ee42cSDaniel P. Berrange 5860e705c5SDaniel P. Berrange static void test_tls_handshake_done(QIOTask *task, 59ed8ee42cSDaniel P. Berrange gpointer opaque) 60ed8ee42cSDaniel P. Berrange { 61ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData *data = opaque; 62ed8ee42cSDaniel P. Berrange 63ed8ee42cSDaniel P. Berrange data->finished = true; 6460e705c5SDaniel P. Berrange data->failed = qio_task_propagate_error(task, NULL); 65ed8ee42cSDaniel P. Berrange } 66ed8ee42cSDaniel P. Berrange 67ed8ee42cSDaniel P. Berrange 68ed8ee42cSDaniel P. Berrange static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint, 6968db1318SDaniel P. Berrangé const char *certdir) 70ed8ee42cSDaniel P. Berrange { 71ed8ee42cSDaniel P. Berrange Object *parent = object_get_objects_root(); 72ed8ee42cSDaniel P. Berrange Object *creds = object_new_with_props( 73ed8ee42cSDaniel P. Berrange TYPE_QCRYPTO_TLS_CREDS_X509, 74ed8ee42cSDaniel P. Berrange parent, 75ed8ee42cSDaniel P. Berrange (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 76ed8ee42cSDaniel P. Berrange "testtlscredsserver" : "testtlscredsclient"), 7768db1318SDaniel P. Berrangé &error_abort, 78ed8ee42cSDaniel P. Berrange "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 79ed8ee42cSDaniel P. Berrange "server" : "client"), 80ed8ee42cSDaniel P. Berrange "dir", certdir, 81ed8ee42cSDaniel P. Berrange "verify-peer", "yes", 82057ad0b4SDaniel P. Berrangé "priority", "NORMAL", 83ed8ee42cSDaniel P. Berrange /* We skip initial sanity checks here because we 84ed8ee42cSDaniel P. Berrange * want to make sure that problems are being 85ed8ee42cSDaniel P. Berrange * detected at the TLS session validation stage, 86ed8ee42cSDaniel P. Berrange * and the test-crypto-tlscreds test already 87ed8ee42cSDaniel P. Berrange * validate the sanity check code. 88ed8ee42cSDaniel P. Berrange */ 89ed8ee42cSDaniel P. Berrange "sanity-check", "no", 90ed8ee42cSDaniel P. Berrange NULL 91ed8ee42cSDaniel P. Berrange ); 92ed8ee42cSDaniel P. Berrange 93ed8ee42cSDaniel P. Berrange return QCRYPTO_TLS_CREDS(creds); 94ed8ee42cSDaniel P. Berrange } 95ed8ee42cSDaniel P. Berrange 96ed8ee42cSDaniel P. Berrange 97ed8ee42cSDaniel P. Berrange /* 98ed8ee42cSDaniel P. Berrange * This tests validation checking of peer certificates 99ed8ee42cSDaniel P. Berrange * 100ed8ee42cSDaniel P. Berrange * This is replicating the checks that are done for an 101ed8ee42cSDaniel P. Berrange * active TLS session after handshake completes. To 102ed8ee42cSDaniel P. Berrange * simulate that we create our TLS contexts, skipping 103ed8ee42cSDaniel P. Berrange * sanity checks. When then get a socketpair, and 104ed8ee42cSDaniel P. Berrange * initiate a TLS session across them. Finally do 105ed8ee42cSDaniel P. Berrange * do actual cert validation tests 106ed8ee42cSDaniel P. Berrange */ 107ed8ee42cSDaniel P. Berrange static void test_io_channel_tls(const void *opaque) 108ed8ee42cSDaniel P. Berrange { 109ed8ee42cSDaniel P. Berrange struct QIOChannelTLSTestData *data = 110ed8ee42cSDaniel P. Berrange (struct QIOChannelTLSTestData *)opaque; 111ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *clientCreds; 112ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *serverCreds; 113ed8ee42cSDaniel P. Berrange QIOChannelTLS *clientChanTLS; 114ed8ee42cSDaniel P. Berrange QIOChannelTLS *serverChanTLS; 115ed8ee42cSDaniel P. Berrange QIOChannelSocket *clientChanSock; 116ed8ee42cSDaniel P. Berrange QIOChannelSocket *serverChanSock; 117b76806d4SDaniel P. Berrange QAuthZList *auth; 118ed8ee42cSDaniel P. Berrange const char * const *wildcards; 119ed8ee42cSDaniel P. Berrange int channel[2]; 120ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData clientHandshake = { false, false }; 121ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData serverHandshake = { false, false }; 122ed8ee42cSDaniel P. Berrange QIOChannelTest *test; 123ed8ee42cSDaniel P. Berrange GMainContext *mainloop; 124ed8ee42cSDaniel P. Berrange 125ed8ee42cSDaniel P. Berrange /* We'll use this for our fake client-server connection */ 126ed8ee42cSDaniel P. Berrange g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0); 127ed8ee42cSDaniel P. Berrange 128d4adf967SDaniel P. Berrange #define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/" 129d4adf967SDaniel P. Berrange #define SERVER_CERT_DIR "tests/test-io-channel-tls-server/" 130ed8ee42cSDaniel P. Berrange mkdir(CLIENT_CERT_DIR, 0700); 131ed8ee42cSDaniel P. Berrange mkdir(SERVER_CERT_DIR, 0700); 132ed8ee42cSDaniel P. Berrange 133ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 134ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); 135ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); 136ed8ee42cSDaniel P. Berrange 137ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 138ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); 139ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); 140ed8ee42cSDaniel P. Berrange 141ed8ee42cSDaniel P. Berrange g_assert(link(data->servercacrt, 142ed8ee42cSDaniel P. Berrange SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); 143ed8ee42cSDaniel P. Berrange g_assert(link(data->servercrt, 144ed8ee42cSDaniel P. Berrange SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0); 145ed8ee42cSDaniel P. Berrange g_assert(link(KEYFILE, 146ed8ee42cSDaniel P. Berrange SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0); 147ed8ee42cSDaniel P. Berrange 148ed8ee42cSDaniel P. Berrange g_assert(link(data->clientcacrt, 149ed8ee42cSDaniel P. Berrange CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); 150ed8ee42cSDaniel P. Berrange g_assert(link(data->clientcrt, 151ed8ee42cSDaniel P. Berrange CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0); 152ed8ee42cSDaniel P. Berrange g_assert(link(KEYFILE, 153ed8ee42cSDaniel P. Berrange CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0); 154ed8ee42cSDaniel P. Berrange 155ed8ee42cSDaniel P. Berrange clientCreds = test_tls_creds_create( 156ed8ee42cSDaniel P. Berrange QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, 15768db1318SDaniel P. Berrangé CLIENT_CERT_DIR); 158ed8ee42cSDaniel P. Berrange g_assert(clientCreds != NULL); 159ed8ee42cSDaniel P. Berrange 160ed8ee42cSDaniel P. Berrange serverCreds = test_tls_creds_create( 161ed8ee42cSDaniel P. Berrange QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, 16268db1318SDaniel P. Berrangé SERVER_CERT_DIR); 163ed8ee42cSDaniel P. Berrange g_assert(serverCreds != NULL); 164ed8ee42cSDaniel P. Berrange 165b76806d4SDaniel P. Berrange auth = qauthz_list_new("channeltlsacl", 166b76806d4SDaniel P. Berrange QAUTHZ_LIST_POLICY_DENY, 167b76806d4SDaniel P. Berrange &error_abort); 168ed8ee42cSDaniel P. Berrange wildcards = data->wildcards; 169ed8ee42cSDaniel P. Berrange while (wildcards && *wildcards) { 170b76806d4SDaniel P. Berrange qauthz_list_append_rule(auth, *wildcards, 171b76806d4SDaniel P. Berrange QAUTHZ_LIST_POLICY_ALLOW, 172b76806d4SDaniel P. Berrange QAUTHZ_LIST_FORMAT_GLOB, 173b76806d4SDaniel P. Berrange &error_abort); 174ed8ee42cSDaniel P. Berrange wildcards++; 175ed8ee42cSDaniel P. Berrange } 176ed8ee42cSDaniel P. Berrange 177ed8ee42cSDaniel P. Berrange clientChanSock = qio_channel_socket_new_fd( 17868db1318SDaniel P. Berrangé channel[0], &error_abort); 179ed8ee42cSDaniel P. Berrange g_assert(clientChanSock != NULL); 180ed8ee42cSDaniel P. Berrange serverChanSock = qio_channel_socket_new_fd( 18168db1318SDaniel P. Berrangé channel[1], &error_abort); 182ed8ee42cSDaniel P. Berrange g_assert(serverChanSock != NULL); 183ed8ee42cSDaniel P. Berrange 184ed8ee42cSDaniel P. Berrange /* 185ed8ee42cSDaniel P. Berrange * We have an evil loop to do the handshake in a single 186ed8ee42cSDaniel P. Berrange * thread, so we need these non-blocking to avoid deadlock 187ed8ee42cSDaniel P. Berrange * of ourselves 188ed8ee42cSDaniel P. Berrange */ 189ed8ee42cSDaniel P. Berrange qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL); 190ed8ee42cSDaniel P. Berrange qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL); 191ed8ee42cSDaniel P. Berrange 192ed8ee42cSDaniel P. Berrange /* Now the real part of the test, setup the sessions */ 193ed8ee42cSDaniel P. Berrange clientChanTLS = qio_channel_tls_new_client( 194ed8ee42cSDaniel P. Berrange QIO_CHANNEL(clientChanSock), clientCreds, 19568db1318SDaniel P. Berrangé data->hostname, &error_abort); 196ed8ee42cSDaniel P. Berrange g_assert(clientChanTLS != NULL); 197ed8ee42cSDaniel P. Berrange 198ed8ee42cSDaniel P. Berrange serverChanTLS = qio_channel_tls_new_server( 199ed8ee42cSDaniel P. Berrange QIO_CHANNEL(serverChanSock), serverCreds, 20068db1318SDaniel P. Berrangé "channeltlsacl", &error_abort); 201ed8ee42cSDaniel P. Berrange g_assert(serverChanTLS != NULL); 202ed8ee42cSDaniel P. Berrange 203ed8ee42cSDaniel P. Berrange qio_channel_tls_handshake(clientChanTLS, 204ed8ee42cSDaniel P. Berrange test_tls_handshake_done, 205ed8ee42cSDaniel P. Berrange &clientHandshake, 2061939ccdaSPeter Xu NULL, 207ed8ee42cSDaniel P. Berrange NULL); 208ed8ee42cSDaniel P. Berrange qio_channel_tls_handshake(serverChanTLS, 209ed8ee42cSDaniel P. Berrange test_tls_handshake_done, 210ed8ee42cSDaniel P. Berrange &serverHandshake, 2111939ccdaSPeter Xu NULL, 212ed8ee42cSDaniel P. Berrange NULL); 213ed8ee42cSDaniel P. Berrange 214ed8ee42cSDaniel P. Berrange /* 215ed8ee42cSDaniel P. Berrange * Finally we loop around & around doing handshake on each 216ed8ee42cSDaniel P. Berrange * session until we get an error, or the handshake completes. 217ed8ee42cSDaniel P. Berrange * This relies on the socketpair being nonblocking to avoid 218ed8ee42cSDaniel P. Berrange * deadlocking ourselves upon handshake 219ed8ee42cSDaniel P. Berrange */ 220ed8ee42cSDaniel P. Berrange mainloop = g_main_context_default(); 221ed8ee42cSDaniel P. Berrange do { 222ed8ee42cSDaniel P. Berrange g_main_context_iteration(mainloop, TRUE); 223689ed13eSDaniel P. Berrange } while (!clientHandshake.finished || 224ed8ee42cSDaniel P. Berrange !serverHandshake.finished); 225ed8ee42cSDaniel P. Berrange 226ed8ee42cSDaniel P. Berrange g_assert(clientHandshake.failed == data->expectClientFail); 227ed8ee42cSDaniel P. Berrange g_assert(serverHandshake.failed == data->expectServerFail); 228ed8ee42cSDaniel P. Berrange 229ed8ee42cSDaniel P. Berrange test = qio_channel_test_new(); 230ed8ee42cSDaniel P. Berrange qio_channel_test_run_threads(test, false, 231ed8ee42cSDaniel P. Berrange QIO_CHANNEL(clientChanTLS), 232ed8ee42cSDaniel P. Berrange QIO_CHANNEL(serverChanTLS)); 233ed8ee42cSDaniel P. Berrange qio_channel_test_validate(test); 234ed8ee42cSDaniel P. Berrange 235ed8ee42cSDaniel P. Berrange test = qio_channel_test_new(); 236ed8ee42cSDaniel P. Berrange qio_channel_test_run_threads(test, true, 237ed8ee42cSDaniel P. Berrange QIO_CHANNEL(clientChanTLS), 238ed8ee42cSDaniel P. Berrange QIO_CHANNEL(serverChanTLS)); 239ed8ee42cSDaniel P. Berrange qio_channel_test_validate(test); 240ed8ee42cSDaniel P. Berrange 241ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 242ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); 243ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); 244ed8ee42cSDaniel P. Berrange 245ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 246ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); 247ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); 248ed8ee42cSDaniel P. Berrange 249ed8ee42cSDaniel P. Berrange rmdir(CLIENT_CERT_DIR); 250ed8ee42cSDaniel P. Berrange rmdir(SERVER_CERT_DIR); 251ed8ee42cSDaniel P. Berrange 252ed8ee42cSDaniel P. Berrange object_unparent(OBJECT(serverCreds)); 253ed8ee42cSDaniel P. Berrange object_unparent(OBJECT(clientCreds)); 254ed8ee42cSDaniel P. Berrange 255ed8ee42cSDaniel P. Berrange object_unref(OBJECT(serverChanTLS)); 256ed8ee42cSDaniel P. Berrange object_unref(OBJECT(clientChanTLS)); 257ed8ee42cSDaniel P. Berrange 258ed8ee42cSDaniel P. Berrange object_unref(OBJECT(serverChanSock)); 259ed8ee42cSDaniel P. Berrange object_unref(OBJECT(clientChanSock)); 260ed8ee42cSDaniel P. Berrange 261b76806d4SDaniel P. Berrange object_unparent(OBJECT(auth)); 262b76806d4SDaniel P. Berrange 263ed8ee42cSDaniel P. Berrange close(channel[0]); 264ed8ee42cSDaniel P. Berrange close(channel[1]); 265ed8ee42cSDaniel P. Berrange } 266ed8ee42cSDaniel P. Berrange 267ed8ee42cSDaniel P. Berrange 268ed8ee42cSDaniel P. Berrange int main(int argc, char **argv) 269ed8ee42cSDaniel P. Berrange { 270ed8ee42cSDaniel P. Berrange int ret; 271ed8ee42cSDaniel P. Berrange 272d26d6b5dSDaniel P. Berrange g_assert(qcrypto_init(NULL) == 0); 273d26d6b5dSDaniel P. Berrange 274ed8ee42cSDaniel P. Berrange module_call_init(MODULE_INIT_QOM); 275ed8ee42cSDaniel P. Berrange g_test_init(&argc, &argv, NULL); 276ed8ee42cSDaniel P. Berrange setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1); 277ed8ee42cSDaniel P. Berrange 278ed8ee42cSDaniel P. Berrange mkdir(WORKDIR, 0700); 279ed8ee42cSDaniel P. Berrange 280ed8ee42cSDaniel P. Berrange test_tls_init(KEYFILE); 281ed8ee42cSDaniel P. Berrange 282ed8ee42cSDaniel P. Berrange # define TEST_CHANNEL(name, caCrt, \ 283ed8ee42cSDaniel P. Berrange serverCrt, clientCrt, \ 284ed8ee42cSDaniel P. Berrange expectServerFail, expectClientFail, \ 285ed8ee42cSDaniel P. Berrange hostname, wildcards) \ 286ed8ee42cSDaniel P. Berrange struct QIOChannelTLSTestData name = { \ 287ed8ee42cSDaniel P. Berrange caCrt, caCrt, serverCrt, clientCrt, \ 288ed8ee42cSDaniel P. Berrange expectServerFail, expectClientFail, \ 289ed8ee42cSDaniel P. Berrange hostname, wildcards \ 290ed8ee42cSDaniel P. Berrange }; \ 291ed8ee42cSDaniel P. Berrange g_test_add_data_func("/qio/channel/tls/" # name, \ 292ed8ee42cSDaniel P. Berrange &name, test_io_channel_tls); 293ed8ee42cSDaniel P. Berrange 294ed8ee42cSDaniel P. Berrange /* A perfect CA, perfect client & perfect server */ 295ed8ee42cSDaniel P. Berrange 296ed8ee42cSDaniel P. Berrange /* Basic:CA:critical */ 297ed8ee42cSDaniel P. Berrange TLS_ROOT_REQ(cacertreq, 298ed8ee42cSDaniel P. Berrange "UK", "qemu CA", NULL, NULL, NULL, NULL, 299ed8ee42cSDaniel P. Berrange true, true, true, 300ed8ee42cSDaniel P. Berrange true, true, GNUTLS_KEY_KEY_CERT_SIGN, 301ed8ee42cSDaniel P. Berrange false, false, NULL, NULL, 302ed8ee42cSDaniel P. Berrange 0, 0); 303ed8ee42cSDaniel P. Berrange TLS_CERT_REQ(servercertreq, cacertreq, 304ed8ee42cSDaniel P. Berrange "UK", "qemu.org", NULL, NULL, NULL, NULL, 305ed8ee42cSDaniel P. Berrange true, true, false, 306ed8ee42cSDaniel P. Berrange true, true, 307ed8ee42cSDaniel P. Berrange GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 308ed8ee42cSDaniel P. Berrange true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 309ed8ee42cSDaniel P. Berrange 0, 0); 310ed8ee42cSDaniel P. Berrange TLS_CERT_REQ(clientcertreq, cacertreq, 311ed8ee42cSDaniel P. Berrange "UK", "qemu", NULL, NULL, NULL, NULL, 312ed8ee42cSDaniel P. Berrange true, true, false, 313ed8ee42cSDaniel P. Berrange true, true, 314ed8ee42cSDaniel P. Berrange GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 315ed8ee42cSDaniel P. Berrange true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 316ed8ee42cSDaniel P. Berrange 0, 0); 317ed8ee42cSDaniel P. Berrange 318ed8ee42cSDaniel P. Berrange const char *const wildcards[] = { 319ed8ee42cSDaniel P. Berrange "C=UK,CN=qemu*", 320ed8ee42cSDaniel P. Berrange NULL, 321ed8ee42cSDaniel P. Berrange }; 322ed8ee42cSDaniel P. Berrange TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename, 323ed8ee42cSDaniel P. Berrange clientcertreq.filename, false, false, 324ed8ee42cSDaniel P. Berrange "qemu.org", wildcards); 325ed8ee42cSDaniel P. Berrange 326ed8ee42cSDaniel P. Berrange ret = g_test_run(); 327ed8ee42cSDaniel P. Berrange 328ed8ee42cSDaniel P. Berrange test_tls_discard_cert(&clientcertreq); 329ed8ee42cSDaniel P. Berrange test_tls_discard_cert(&servercertreq); 330ed8ee42cSDaniel P. Berrange test_tls_discard_cert(&cacertreq); 331ed8ee42cSDaniel P. Berrange 332ed8ee42cSDaniel P. Berrange test_tls_cleanup(KEYFILE); 333ed8ee42cSDaniel P. Berrange rmdir(WORKDIR); 334ed8ee42cSDaniel P. Berrange 335ed8ee42cSDaniel P. Berrange return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 336ed8ee42cSDaniel P. Berrange } 337ed8ee42cSDaniel P. Berrange 338ed8ee42cSDaniel P. Berrange #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ 339ed8ee42cSDaniel P. Berrange 340ed8ee42cSDaniel P. Berrange int 341ed8ee42cSDaniel P. Berrange main(void) 342ed8ee42cSDaniel P. Berrange { 343ed8ee42cSDaniel P. Berrange return EXIT_SUCCESS; 344ed8ee42cSDaniel P. Berrange } 345ed8ee42cSDaniel P. Berrange 346ed8ee42cSDaniel P. Berrange #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ 347