1ed8ee42cSDaniel P. Berrange /* 2ed8ee42cSDaniel P. Berrange * QEMU I/O channel TLS test 3ed8ee42cSDaniel P. Berrange * 4ed8ee42cSDaniel P. Berrange * Copyright (C) 2015 Red Hat, Inc. 5ed8ee42cSDaniel P. Berrange * 6ed8ee42cSDaniel P. Berrange * This library is free software; you can redistribute it and/or 7ed8ee42cSDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 8ed8ee42cSDaniel P. Berrange * License as published by the Free Software Foundation; either 9ed8ee42cSDaniel P. Berrange * version 2.1 of the License, or (at your option) any later version. 10ed8ee42cSDaniel P. Berrange * 11ed8ee42cSDaniel P. Berrange * This library is distributed in the hope that it will be useful, 12ed8ee42cSDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 13ed8ee42cSDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14ed8ee42cSDaniel P. Berrange * Lesser General Public License for more details. 15ed8ee42cSDaniel P. Berrange * 16ed8ee42cSDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 17ed8ee42cSDaniel P. Berrange * License along with this library. If not, see 18ed8ee42cSDaniel P. Berrange * <http://www.gnu.org/licenses/>. 19ed8ee42cSDaniel P. Berrange * 20ed8ee42cSDaniel P. Berrange * Author: Daniel P. Berrange <berrange@redhat.com> 21ed8ee42cSDaniel P. Berrange */ 22ed8ee42cSDaniel P. Berrange 23ed8ee42cSDaniel P. Berrange 24681c28a3SPeter Maydell #include "qemu/osdep.h" 25ed8ee42cSDaniel P. Berrange 26ed8ee42cSDaniel P. Berrange #include "crypto-tls-x509-helpers.h" 27ed8ee42cSDaniel P. Berrange #include "io/channel-tls.h" 28ed8ee42cSDaniel P. Berrange #include "io/channel-socket.h" 29ed8ee42cSDaniel P. Berrange #include "io-channel-helpers.h" 30d26d6b5dSDaniel P. Berrange #include "crypto/init.h" 31ed8ee42cSDaniel P. Berrange #include "crypto/tlscredsx509.h" 3268db1318SDaniel P. Berrangé #include "qapi/error.h" 330b8fa32fSMarkus Armbruster #include "qemu/module.h" 34b76806d4SDaniel P. Berrange #include "authz/list.h" 35ed8ee42cSDaniel P. Berrange #include "qom/object_interfaces.h" 36ed8ee42cSDaniel P. Berrange 37ed8ee42cSDaniel P. Berrange #define WORKDIR "tests/test-io-channel-tls-work/" 38ed8ee42cSDaniel P. Berrange #define KEYFILE WORKDIR "key-ctx.pem" 39ed8ee42cSDaniel P. Berrange 40ed8ee42cSDaniel P. Berrange struct QIOChannelTLSTestData { 41ed8ee42cSDaniel P. Berrange const char *servercacrt; 42ed8ee42cSDaniel P. Berrange const char *clientcacrt; 43ed8ee42cSDaniel P. Berrange const char *servercrt; 44ed8ee42cSDaniel P. Berrange const char *clientcrt; 45ed8ee42cSDaniel P. Berrange bool expectServerFail; 46ed8ee42cSDaniel P. Berrange bool expectClientFail; 47ed8ee42cSDaniel P. Berrange const char *hostname; 48ed8ee42cSDaniel P. Berrange const char *const *wildcards; 49ed8ee42cSDaniel P. Berrange }; 50ed8ee42cSDaniel P. Berrange 51ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData { 52ed8ee42cSDaniel P. Berrange bool finished; 53ed8ee42cSDaniel P. Berrange bool failed; 54ed8ee42cSDaniel P. Berrange }; 55ed8ee42cSDaniel P. Berrange 5660e705c5SDaniel P. Berrange static void test_tls_handshake_done(QIOTask *task, 57ed8ee42cSDaniel P. Berrange gpointer opaque) 58ed8ee42cSDaniel P. Berrange { 59ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData *data = opaque; 60ed8ee42cSDaniel P. Berrange 61ed8ee42cSDaniel P. Berrange data->finished = true; 6260e705c5SDaniel P. Berrange data->failed = qio_task_propagate_error(task, NULL); 63ed8ee42cSDaniel P. Berrange } 64ed8ee42cSDaniel P. Berrange 65ed8ee42cSDaniel P. Berrange 66ed8ee42cSDaniel P. Berrange static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint, 6768db1318SDaniel P. Berrangé const char *certdir) 68ed8ee42cSDaniel P. Berrange { 69ed8ee42cSDaniel P. Berrange Object *parent = object_get_objects_root(); 70ed8ee42cSDaniel P. Berrange Object *creds = object_new_with_props( 71ed8ee42cSDaniel P. Berrange TYPE_QCRYPTO_TLS_CREDS_X509, 72ed8ee42cSDaniel P. Berrange parent, 73ed8ee42cSDaniel P. Berrange (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 74ed8ee42cSDaniel P. Berrange "testtlscredsserver" : "testtlscredsclient"), 7568db1318SDaniel P. Berrangé &error_abort, 76ed8ee42cSDaniel P. Berrange "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? 77ed8ee42cSDaniel P. Berrange "server" : "client"), 78ed8ee42cSDaniel P. Berrange "dir", certdir, 79ed8ee42cSDaniel P. Berrange "verify-peer", "yes", 80057ad0b4SDaniel P. Berrangé "priority", "NORMAL", 81ed8ee42cSDaniel P. Berrange /* We skip initial sanity checks here because we 82ed8ee42cSDaniel P. Berrange * want to make sure that problems are being 83ed8ee42cSDaniel P. Berrange * detected at the TLS session validation stage, 84ed8ee42cSDaniel P. Berrange * and the test-crypto-tlscreds test already 85ed8ee42cSDaniel P. Berrange * validate the sanity check code. 86ed8ee42cSDaniel P. Berrange */ 87ed8ee42cSDaniel P. Berrange "sanity-check", "no", 88ed8ee42cSDaniel P. Berrange NULL 89ed8ee42cSDaniel P. Berrange ); 90ed8ee42cSDaniel P. Berrange 91ed8ee42cSDaniel P. Berrange return QCRYPTO_TLS_CREDS(creds); 92ed8ee42cSDaniel P. Berrange } 93ed8ee42cSDaniel P. Berrange 94ed8ee42cSDaniel P. Berrange 95ed8ee42cSDaniel P. Berrange /* 96ed8ee42cSDaniel P. Berrange * This tests validation checking of peer certificates 97ed8ee42cSDaniel P. Berrange * 98ed8ee42cSDaniel P. Berrange * This is replicating the checks that are done for an 99ed8ee42cSDaniel P. Berrange * active TLS session after handshake completes. To 100ed8ee42cSDaniel P. Berrange * simulate that we create our TLS contexts, skipping 101ed8ee42cSDaniel P. Berrange * sanity checks. When then get a socketpair, and 102ed8ee42cSDaniel P. Berrange * initiate a TLS session across them. Finally do 103ed8ee42cSDaniel P. Berrange * do actual cert validation tests 104ed8ee42cSDaniel P. Berrange */ 105ed8ee42cSDaniel P. Berrange static void test_io_channel_tls(const void *opaque) 106ed8ee42cSDaniel P. Berrange { 107ed8ee42cSDaniel P. Berrange struct QIOChannelTLSTestData *data = 108ed8ee42cSDaniel P. Berrange (struct QIOChannelTLSTestData *)opaque; 109ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *clientCreds; 110ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *serverCreds; 111ed8ee42cSDaniel P. Berrange QIOChannelTLS *clientChanTLS; 112ed8ee42cSDaniel P. Berrange QIOChannelTLS *serverChanTLS; 113ed8ee42cSDaniel P. Berrange QIOChannelSocket *clientChanSock; 114ed8ee42cSDaniel P. Berrange QIOChannelSocket *serverChanSock; 115b76806d4SDaniel P. Berrange QAuthZList *auth; 116ed8ee42cSDaniel P. Berrange const char * const *wildcards; 117ed8ee42cSDaniel P. Berrange int channel[2]; 118ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData clientHandshake = { false, false }; 119ed8ee42cSDaniel P. Berrange struct QIOChannelTLSHandshakeData serverHandshake = { false, false }; 120ed8ee42cSDaniel P. Berrange QIOChannelTest *test; 121ed8ee42cSDaniel P. Berrange GMainContext *mainloop; 122ed8ee42cSDaniel P. Berrange 123ed8ee42cSDaniel P. Berrange /* We'll use this for our fake client-server connection */ 124ed8ee42cSDaniel P. Berrange g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0); 125ed8ee42cSDaniel P. Berrange 126d4adf967SDaniel P. Berrange #define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/" 127d4adf967SDaniel P. Berrange #define SERVER_CERT_DIR "tests/test-io-channel-tls-server/" 128*413bebc0SBin Meng g_mkdir_with_parents(CLIENT_CERT_DIR, 0700); 129*413bebc0SBin Meng g_mkdir_with_parents(SERVER_CERT_DIR, 0700); 130ed8ee42cSDaniel P. Berrange 131ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 132ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); 133ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); 134ed8ee42cSDaniel P. Berrange 135ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 136ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); 137ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); 138ed8ee42cSDaniel P. Berrange 139ed8ee42cSDaniel P. Berrange g_assert(link(data->servercacrt, 140ed8ee42cSDaniel P. Berrange SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); 141ed8ee42cSDaniel P. Berrange g_assert(link(data->servercrt, 142ed8ee42cSDaniel P. Berrange SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0); 143ed8ee42cSDaniel P. Berrange g_assert(link(KEYFILE, 144ed8ee42cSDaniel P. Berrange SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0); 145ed8ee42cSDaniel P. Berrange 146ed8ee42cSDaniel P. Berrange g_assert(link(data->clientcacrt, 147ed8ee42cSDaniel P. Berrange CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); 148ed8ee42cSDaniel P. Berrange g_assert(link(data->clientcrt, 149ed8ee42cSDaniel P. Berrange CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0); 150ed8ee42cSDaniel P. Berrange g_assert(link(KEYFILE, 151ed8ee42cSDaniel P. Berrange CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0); 152ed8ee42cSDaniel P. Berrange 153ed8ee42cSDaniel P. Berrange clientCreds = test_tls_creds_create( 154ed8ee42cSDaniel P. Berrange QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, 15568db1318SDaniel P. Berrangé CLIENT_CERT_DIR); 156ed8ee42cSDaniel P. Berrange g_assert(clientCreds != NULL); 157ed8ee42cSDaniel P. Berrange 158ed8ee42cSDaniel P. Berrange serverCreds = test_tls_creds_create( 159ed8ee42cSDaniel P. Berrange QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, 16068db1318SDaniel P. Berrangé SERVER_CERT_DIR); 161ed8ee42cSDaniel P. Berrange g_assert(serverCreds != NULL); 162ed8ee42cSDaniel P. Berrange 163b76806d4SDaniel P. Berrange auth = qauthz_list_new("channeltlsacl", 164b76806d4SDaniel P. Berrange QAUTHZ_LIST_POLICY_DENY, 165b76806d4SDaniel P. Berrange &error_abort); 166ed8ee42cSDaniel P. Berrange wildcards = data->wildcards; 167ed8ee42cSDaniel P. Berrange while (wildcards && *wildcards) { 168b76806d4SDaniel P. Berrange qauthz_list_append_rule(auth, *wildcards, 169b76806d4SDaniel P. Berrange QAUTHZ_LIST_POLICY_ALLOW, 170b76806d4SDaniel P. Berrange QAUTHZ_LIST_FORMAT_GLOB, 171b76806d4SDaniel P. Berrange &error_abort); 172ed8ee42cSDaniel P. Berrange wildcards++; 173ed8ee42cSDaniel P. Berrange } 174ed8ee42cSDaniel P. Berrange 175ed8ee42cSDaniel P. Berrange clientChanSock = qio_channel_socket_new_fd( 17668db1318SDaniel P. Berrangé channel[0], &error_abort); 177ed8ee42cSDaniel P. Berrange g_assert(clientChanSock != NULL); 178ed8ee42cSDaniel P. Berrange serverChanSock = qio_channel_socket_new_fd( 17968db1318SDaniel P. Berrangé channel[1], &error_abort); 180ed8ee42cSDaniel P. Berrange g_assert(serverChanSock != NULL); 181ed8ee42cSDaniel P. Berrange 182ed8ee42cSDaniel P. Berrange /* 183ed8ee42cSDaniel P. Berrange * We have an evil loop to do the handshake in a single 184ed8ee42cSDaniel P. Berrange * thread, so we need these non-blocking to avoid deadlock 185ed8ee42cSDaniel P. Berrange * of ourselves 186ed8ee42cSDaniel P. Berrange */ 187ed8ee42cSDaniel P. Berrange qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL); 188ed8ee42cSDaniel P. Berrange qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL); 189ed8ee42cSDaniel P. Berrange 190ed8ee42cSDaniel P. Berrange /* Now the real part of the test, setup the sessions */ 191ed8ee42cSDaniel P. Berrange clientChanTLS = qio_channel_tls_new_client( 192ed8ee42cSDaniel P. Berrange QIO_CHANNEL(clientChanSock), clientCreds, 19368db1318SDaniel P. Berrangé data->hostname, &error_abort); 194ed8ee42cSDaniel P. Berrange g_assert(clientChanTLS != NULL); 195ed8ee42cSDaniel P. Berrange 196ed8ee42cSDaniel P. Berrange serverChanTLS = qio_channel_tls_new_server( 197ed8ee42cSDaniel P. Berrange QIO_CHANNEL(serverChanSock), serverCreds, 19868db1318SDaniel P. Berrangé "channeltlsacl", &error_abort); 199ed8ee42cSDaniel P. Berrange g_assert(serverChanTLS != NULL); 200ed8ee42cSDaniel P. Berrange 201ed8ee42cSDaniel P. Berrange qio_channel_tls_handshake(clientChanTLS, 202ed8ee42cSDaniel P. Berrange test_tls_handshake_done, 203ed8ee42cSDaniel P. Berrange &clientHandshake, 2041939ccdaSPeter Xu NULL, 205ed8ee42cSDaniel P. Berrange NULL); 206ed8ee42cSDaniel P. Berrange qio_channel_tls_handshake(serverChanTLS, 207ed8ee42cSDaniel P. Berrange test_tls_handshake_done, 208ed8ee42cSDaniel P. Berrange &serverHandshake, 2091939ccdaSPeter Xu NULL, 210ed8ee42cSDaniel P. Berrange NULL); 211ed8ee42cSDaniel P. Berrange 212ed8ee42cSDaniel P. Berrange /* 213ed8ee42cSDaniel P. Berrange * Finally we loop around & around doing handshake on each 214ed8ee42cSDaniel P. Berrange * session until we get an error, or the handshake completes. 215ed8ee42cSDaniel P. Berrange * This relies on the socketpair being nonblocking to avoid 216ed8ee42cSDaniel P. Berrange * deadlocking ourselves upon handshake 217ed8ee42cSDaniel P. Berrange */ 218ed8ee42cSDaniel P. Berrange mainloop = g_main_context_default(); 219ed8ee42cSDaniel P. Berrange do { 220ed8ee42cSDaniel P. Berrange g_main_context_iteration(mainloop, TRUE); 221689ed13eSDaniel P. Berrange } while (!clientHandshake.finished || 222ed8ee42cSDaniel P. Berrange !serverHandshake.finished); 223ed8ee42cSDaniel P. Berrange 224ed8ee42cSDaniel P. Berrange g_assert(clientHandshake.failed == data->expectClientFail); 225ed8ee42cSDaniel P. Berrange g_assert(serverHandshake.failed == data->expectServerFail); 226ed8ee42cSDaniel P. Berrange 227ed8ee42cSDaniel P. Berrange test = qio_channel_test_new(); 228ed8ee42cSDaniel P. Berrange qio_channel_test_run_threads(test, false, 229ed8ee42cSDaniel P. Berrange QIO_CHANNEL(clientChanTLS), 230ed8ee42cSDaniel P. Berrange QIO_CHANNEL(serverChanTLS)); 231ed8ee42cSDaniel P. Berrange qio_channel_test_validate(test); 232ed8ee42cSDaniel P. Berrange 233ed8ee42cSDaniel P. Berrange test = qio_channel_test_new(); 234ed8ee42cSDaniel P. Berrange qio_channel_test_run_threads(test, true, 235ed8ee42cSDaniel P. Berrange QIO_CHANNEL(clientChanTLS), 236ed8ee42cSDaniel P. Berrange QIO_CHANNEL(serverChanTLS)); 237ed8ee42cSDaniel P. Berrange qio_channel_test_validate(test); 238ed8ee42cSDaniel P. Berrange 239ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 240ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); 241ed8ee42cSDaniel P. Berrange unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); 242ed8ee42cSDaniel P. Berrange 243ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); 244ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); 245ed8ee42cSDaniel P. Berrange unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); 246ed8ee42cSDaniel P. Berrange 247ed8ee42cSDaniel P. Berrange rmdir(CLIENT_CERT_DIR); 248ed8ee42cSDaniel P. Berrange rmdir(SERVER_CERT_DIR); 249ed8ee42cSDaniel P. Berrange 250ed8ee42cSDaniel P. Berrange object_unparent(OBJECT(serverCreds)); 251ed8ee42cSDaniel P. Berrange object_unparent(OBJECT(clientCreds)); 252ed8ee42cSDaniel P. Berrange 253ed8ee42cSDaniel P. Berrange object_unref(OBJECT(serverChanTLS)); 254ed8ee42cSDaniel P. Berrange object_unref(OBJECT(clientChanTLS)); 255ed8ee42cSDaniel P. Berrange 256ed8ee42cSDaniel P. Berrange object_unref(OBJECT(serverChanSock)); 257ed8ee42cSDaniel P. Berrange object_unref(OBJECT(clientChanSock)); 258ed8ee42cSDaniel P. Berrange 259b76806d4SDaniel P. Berrange object_unparent(OBJECT(auth)); 260b76806d4SDaniel P. Berrange 261ed8ee42cSDaniel P. Berrange close(channel[0]); 262ed8ee42cSDaniel P. Berrange close(channel[1]); 263ed8ee42cSDaniel P. Berrange } 264ed8ee42cSDaniel P. Berrange 265ed8ee42cSDaniel P. Berrange 266ed8ee42cSDaniel P. Berrange int main(int argc, char **argv) 267ed8ee42cSDaniel P. Berrange { 268ed8ee42cSDaniel P. Berrange int ret; 269ed8ee42cSDaniel P. Berrange 270d26d6b5dSDaniel P. Berrange g_assert(qcrypto_init(NULL) == 0); 271d26d6b5dSDaniel P. Berrange 272ed8ee42cSDaniel P. Berrange module_call_init(MODULE_INIT_QOM); 273ed8ee42cSDaniel P. Berrange g_test_init(&argc, &argv, NULL); 274e468ffdcSMarc-André Lureau g_setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1); 275ed8ee42cSDaniel P. Berrange 276*413bebc0SBin Meng g_mkdir_with_parents(WORKDIR, 0700); 277ed8ee42cSDaniel P. Berrange 278ed8ee42cSDaniel P. Berrange test_tls_init(KEYFILE); 279ed8ee42cSDaniel P. Berrange 280ed8ee42cSDaniel P. Berrange # define TEST_CHANNEL(name, caCrt, \ 281ed8ee42cSDaniel P. Berrange serverCrt, clientCrt, \ 282ed8ee42cSDaniel P. Berrange expectServerFail, expectClientFail, \ 283ed8ee42cSDaniel P. Berrange hostname, wildcards) \ 284ed8ee42cSDaniel P. Berrange struct QIOChannelTLSTestData name = { \ 285ed8ee42cSDaniel P. Berrange caCrt, caCrt, serverCrt, clientCrt, \ 286ed8ee42cSDaniel P. Berrange expectServerFail, expectClientFail, \ 287ed8ee42cSDaniel P. Berrange hostname, wildcards \ 288ed8ee42cSDaniel P. Berrange }; \ 289ed8ee42cSDaniel P. Berrange g_test_add_data_func("/qio/channel/tls/" # name, \ 290ed8ee42cSDaniel P. Berrange &name, test_io_channel_tls); 291ed8ee42cSDaniel P. Berrange 292ed8ee42cSDaniel P. Berrange /* A perfect CA, perfect client & perfect server */ 293ed8ee42cSDaniel P. Berrange 294ed8ee42cSDaniel P. Berrange /* Basic:CA:critical */ 295ed8ee42cSDaniel P. Berrange TLS_ROOT_REQ(cacertreq, 296ed8ee42cSDaniel P. Berrange "UK", "qemu CA", NULL, NULL, NULL, NULL, 297ed8ee42cSDaniel P. Berrange true, true, true, 298ed8ee42cSDaniel P. Berrange true, true, GNUTLS_KEY_KEY_CERT_SIGN, 299ed8ee42cSDaniel P. Berrange false, false, NULL, NULL, 300ed8ee42cSDaniel P. Berrange 0, 0); 301ed8ee42cSDaniel P. Berrange TLS_CERT_REQ(servercertreq, cacertreq, 302ed8ee42cSDaniel P. Berrange "UK", "qemu.org", NULL, NULL, NULL, NULL, 303ed8ee42cSDaniel P. Berrange true, true, false, 304ed8ee42cSDaniel P. Berrange true, true, 305ed8ee42cSDaniel P. Berrange GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 306ed8ee42cSDaniel P. Berrange true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 307ed8ee42cSDaniel P. Berrange 0, 0); 308ed8ee42cSDaniel P. Berrange TLS_CERT_REQ(clientcertreq, cacertreq, 309ed8ee42cSDaniel P. Berrange "UK", "qemu", NULL, NULL, NULL, NULL, 310ed8ee42cSDaniel P. Berrange true, true, false, 311ed8ee42cSDaniel P. Berrange true, true, 312ed8ee42cSDaniel P. Berrange GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, 313ed8ee42cSDaniel P. Berrange true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 314ed8ee42cSDaniel P. Berrange 0, 0); 315ed8ee42cSDaniel P. Berrange 316ed8ee42cSDaniel P. Berrange const char *const wildcards[] = { 317ed8ee42cSDaniel P. Berrange "C=UK,CN=qemu*", 318ed8ee42cSDaniel P. Berrange NULL, 319ed8ee42cSDaniel P. Berrange }; 320ed8ee42cSDaniel P. Berrange TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename, 321ed8ee42cSDaniel P. Berrange clientcertreq.filename, false, false, 322ed8ee42cSDaniel P. Berrange "qemu.org", wildcards); 323ed8ee42cSDaniel P. Berrange 324ed8ee42cSDaniel P. Berrange ret = g_test_run(); 325ed8ee42cSDaniel P. Berrange 326ed8ee42cSDaniel P. Berrange test_tls_discard_cert(&clientcertreq); 327ed8ee42cSDaniel P. Berrange test_tls_discard_cert(&servercertreq); 328ed8ee42cSDaniel P. Berrange test_tls_discard_cert(&cacertreq); 329ed8ee42cSDaniel P. Berrange 330ed8ee42cSDaniel P. Berrange test_tls_cleanup(KEYFILE); 331ed8ee42cSDaniel P. Berrange rmdir(WORKDIR); 332ed8ee42cSDaniel P. Berrange 333ed8ee42cSDaniel P. Berrange return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 334ed8ee42cSDaniel P. Berrange } 335