search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sm501: Perform a full update after palette change
[qemu/ar7.git] / tests / test-crypto-tlssession.c
blob7bd811796e8814361a1609f73c0b0001d4995e44
1 /*
2 * Copyright (C) 2015 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 *
18 * Author: Daniel P. Berrange <berrange@redhat.com>
19 */
20
21 #include "qemu/osdep.h"
22
23 #include "crypto-tls-x509-helpers.h"
24 #include "crypto-tls-psk-helpers.h"
25 #include "crypto/tlscredsx509.h"
26 #include "crypto/tlscredspsk.h"
27 #include "crypto/tlssession.h"
28 #include "qom/object_interfaces.h"
29 #include "qapi/error.h"
30 #include "qemu/sockets.h"
31 #include "qemu/acl.h"
32
33 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
34
35 #define WORKDIR "tests/test-crypto-tlssession-work/"
36 #define PSKFILE WORKDIR "keys.psk"
37 #define KEYFILE WORKDIR "key-ctx.pem"
38
39 static ssize_t testWrite(const char *buf, size_t len, void *opaque)
40 {
41 int *fd = opaque;
42
43 return write(*fd, buf, len);
44 }
45
46 static ssize_t testRead(char *buf, size_t len, void *opaque)
47 {
48 int *fd = opaque;
49
50 return read(*fd, buf, len);
51 }
52
53 static QCryptoTLSCreds *test_tls_creds_psk_create(
54 QCryptoTLSCredsEndpoint endpoint,
55 const char *dir,
56 Error **errp)
57 {
58 Error *err = NULL;
59 Object *parent = object_get_objects_root();
60 Object *creds = object_new_with_props(
61 TYPE_QCRYPTO_TLS_CREDS_PSK,
62 parent,
63 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
64 "testtlscredsserver" : "testtlscredsclient"),
65 &err,
66 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
67 "server" : "client"),
68 "dir", dir,
69 "priority", "NORMAL",
70 NULL
71 );
72
73 if (err) {
74 error_propagate(errp, err);
75 return NULL;
76 }
77 return QCRYPTO_TLS_CREDS(creds);
78 }
79
80
81 static void test_crypto_tls_session_psk(void)
82 {
83 QCryptoTLSCreds *clientCreds;
84 QCryptoTLSCreds *serverCreds;
85 QCryptoTLSSession *clientSess = NULL;
86 QCryptoTLSSession *serverSess = NULL;
87 int channel[2];
88 bool clientShake = false;
89 bool serverShake = false;
90 Error *err = NULL;
91 int ret;
92
93 /* We'll use this for our fake client-server connection */
94 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
95 g_assert(ret == 0);
96
97 /*
98 * We have an evil loop to do the handshake in a single
99 * thread, so we need these non-blocking to avoid deadlock
100 * of ourselves
101 */
102 qemu_set_nonblock(channel[0]);
103 qemu_set_nonblock(channel[1]);
104
105 clientCreds = test_tls_creds_psk_create(
106 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
107 WORKDIR,
108 &err);
109 g_assert(clientCreds != NULL);
110
111 serverCreds = test_tls_creds_psk_create(
112 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
113 WORKDIR,
114 &err);
115 g_assert(serverCreds != NULL);
116
117 /* Now the real part of the test, setup the sessions */
118 clientSess = qcrypto_tls_session_new(
119 clientCreds, NULL, NULL,
120 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &err);
121 serverSess = qcrypto_tls_session_new(
122 serverCreds, NULL, NULL,
123 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &err);
124
125 g_assert(clientSess != NULL);
126 g_assert(serverSess != NULL);
127
128 /* For handshake to work, we need to set the I/O callbacks
129 * to read/write over the socketpair
130 */
131 qcrypto_tls_session_set_callbacks(serverSess,
132 testWrite, testRead,
133 &channel[0]);
134 qcrypto_tls_session_set_callbacks(clientSess,
135 testWrite, testRead,
136 &channel[1]);
137
138 /*
139 * Finally we loop around & around doing handshake on each
140 * session until we get an error, or the handshake completes.
141 * This relies on the socketpair being nonblocking to avoid
142 * deadlocking ourselves upon handshake
143 */
144 do {
145 int rv;
146 if (!serverShake) {
147 rv = qcrypto_tls_session_handshake(serverSess,
148 &err);
149 g_assert(rv >= 0);
150 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
151 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
152 serverShake = true;
153 }
154 }
155 if (!clientShake) {
156 rv = qcrypto_tls_session_handshake(clientSess,
157 &err);
158 g_assert(rv >= 0);
159 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
160 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
161 clientShake = true;
162 }
163 }
164 } while (!clientShake && !serverShake);
165
166
167 /* Finally make sure the server & client validation is successful. */
168 g_assert(qcrypto_tls_session_check_credentials(serverSess, &err) == 0);
169 g_assert(qcrypto_tls_session_check_credentials(clientSess, &err) == 0);
170
171 object_unparent(OBJECT(serverCreds));
172 object_unparent(OBJECT(clientCreds));
173
174 qcrypto_tls_session_free(serverSess);
175 qcrypto_tls_session_free(clientSess);
176
177 close(channel[0]);
178 close(channel[1]);
179 }
180
181
182 struct QCryptoTLSSessionTestData {
183 const char *servercacrt;
184 const char *clientcacrt;
185 const char *servercrt;
186 const char *clientcrt;
187 bool expectServerFail;
188 bool expectClientFail;
189 const char *hostname;
190 const char *const *wildcards;
191 };
192
193 static QCryptoTLSCreds *test_tls_creds_x509_create(
194 QCryptoTLSCredsEndpoint endpoint,
195 const char *certdir,
196 Error **errp)
197 {
198 Error *err = NULL;
199 Object *parent = object_get_objects_root();
200 Object *creds = object_new_with_props(
201 TYPE_QCRYPTO_TLS_CREDS_X509,
202 parent,
203 (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
204 "testtlscredsserver" : "testtlscredsclient"),
205 &err,
206 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
207 "server" : "client"),
208 "dir", certdir,
209 "verify-peer", "yes",
210 "priority", "NORMAL",
211 /* We skip initial sanity checks here because we
212 * want to make sure that problems are being
213 * detected at the TLS session validation stage,
214 * and the test-crypto-tlscreds test already
215 * validate the sanity check code.
216 */
217 "sanity-check", "no",
218 NULL
219 );
220
221 if (err) {
222 error_propagate(errp, err);
223 return NULL;
224 }
225 return QCRYPTO_TLS_CREDS(creds);
226 }
227
228
229 /*
230 * This tests validation checking of peer certificates
231 *
232 * This is replicating the checks that are done for an
233 * active TLS session after handshake completes. To
234 * simulate that we create our TLS contexts, skipping
235 * sanity checks. We then get a socketpair, and
236 * initiate a TLS session across them. Finally do
237 * do actual cert validation tests
238 */
239 static void test_crypto_tls_session_x509(const void *opaque)
240 {
241 struct QCryptoTLSSessionTestData *data =
242 (struct QCryptoTLSSessionTestData *)opaque;
243 QCryptoTLSCreds *clientCreds;
244 QCryptoTLSCreds *serverCreds;
245 QCryptoTLSSession *clientSess = NULL;
246 QCryptoTLSSession *serverSess = NULL;
247 qemu_acl *acl;
248 const char * const *wildcards;
249 int channel[2];
250 bool clientShake = false;
251 bool serverShake = false;
252 Error *err = NULL;
253 int ret;
254
255 /* We'll use this for our fake client-server connection */
256 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
257 g_assert(ret == 0);
258
259 /*
260 * We have an evil loop to do the handshake in a single
261 * thread, so we need these non-blocking to avoid deadlock
262 * of ourselves
263 */
264 qemu_set_nonblock(channel[0]);
265 qemu_set_nonblock(channel[1]);
266
267 #define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
268 #define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
269 mkdir(CLIENT_CERT_DIR, 0700);
270 mkdir(SERVER_CERT_DIR, 0700);
271
272 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
273 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
274 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
275
276 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
277 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
278 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
279
280 g_assert(link(data->servercacrt,
281 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
282 g_assert(link(data->servercrt,
283 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
284 g_assert(link(KEYFILE,
285 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
286
287 g_assert(link(data->clientcacrt,
288 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
289 g_assert(link(data->clientcrt,
290 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
291 g_assert(link(KEYFILE,
292 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
293
294 clientCreds = test_tls_creds_x509_create(
295 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
296 CLIENT_CERT_DIR,
297 &err);
298 g_assert(clientCreds != NULL);
299
300 serverCreds = test_tls_creds_x509_create(
301 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
302 SERVER_CERT_DIR,
303 &err);
304 g_assert(serverCreds != NULL);
305
306 acl = qemu_acl_init("tlssessionacl");
307 qemu_acl_reset(acl);
308 wildcards = data->wildcards;
309 while (wildcards && *wildcards) {
310 qemu_acl_append(acl, 0, *wildcards);
311 wildcards++;
312 }
313
314 /* Now the real part of the test, setup the sessions */
315 clientSess = qcrypto_tls_session_new(
316 clientCreds, data->hostname, NULL,
317 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &err);
318 serverSess = qcrypto_tls_session_new(
319 serverCreds, NULL,
320 data->wildcards ? "tlssessionacl" : NULL,
321 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &err);
322
323 g_assert(clientSess != NULL);
324 g_assert(serverSess != NULL);
325
326 /* For handshake to work, we need to set the I/O callbacks
327 * to read/write over the socketpair
328 */
329 qcrypto_tls_session_set_callbacks(serverSess,
330 testWrite, testRead,
331 &channel[0]);
332 qcrypto_tls_session_set_callbacks(clientSess,
333 testWrite, testRead,
334 &channel[1]);
335
336 /*
337 * Finally we loop around & around doing handshake on each
338 * session until we get an error, or the handshake completes.
339 * This relies on the socketpair being nonblocking to avoid
340 * deadlocking ourselves upon handshake
341 */
342 do {
343 int rv;
344 if (!serverShake) {
345 rv = qcrypto_tls_session_handshake(serverSess,
346 &err);
347 g_assert(rv >= 0);
348 if (qcrypto_tls_session_get_handshake_status(serverSess) ==
349 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
350 serverShake = true;
351 }
352 }
353 if (!clientShake) {
354 rv = qcrypto_tls_session_handshake(clientSess,
355 &err);
356 g_assert(rv >= 0);
357 if (qcrypto_tls_session_get_handshake_status(clientSess) ==
358 QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
359 clientShake = true;
360 }
361 }
362 } while (!clientShake && !serverShake);
363
364
365 /* Finally make sure the server validation does what
366 * we were expecting
367 */
368 if (qcrypto_tls_session_check_credentials(serverSess, &err) < 0) {
369 g_assert(data->expectServerFail);
370 error_free(err);
371 err = NULL;
372 } else {
373 g_assert(!data->expectServerFail);
374 }
375
376 /*
377 * And the same for the client validation check
378 */
379 if (qcrypto_tls_session_check_credentials(clientSess, &err) < 0) {
380 g_assert(data->expectClientFail);
381 error_free(err);
382 err = NULL;
383 } else {
384 g_assert(!data->expectClientFail);
385 }
386
387 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
388 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
389 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
390
391 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
392 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
393 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
394
395 rmdir(CLIENT_CERT_DIR);
396 rmdir(SERVER_CERT_DIR);
397
398 object_unparent(OBJECT(serverCreds));
399 object_unparent(OBJECT(clientCreds));
400
401 qcrypto_tls_session_free(serverSess);
402 qcrypto_tls_session_free(clientSess);
403
404 close(channel[0]);
405 close(channel[1]);
406 }
407
408
409 int main(int argc, char **argv)
410 {
411 int ret;
412
413 module_call_init(MODULE_INIT_QOM);
414 g_test_init(&argc, &argv, NULL);
415 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
416
417 mkdir(WORKDIR, 0700);
418
419 test_tls_init(KEYFILE);
420 test_tls_psk_init(PSKFILE);
421
422 /* Simple initial test using Pre-Shared Keys. */
423 g_test_add_func("/qcrypto/tlssession/psk",
424 test_crypto_tls_session_psk);
425
426 /* More complex tests using X.509 certificates. */
427 # define TEST_SESS_REG(name, caCrt, \
428 serverCrt, clientCrt, \
429 expectServerFail, expectClientFail, \
430 hostname, wildcards) \
431 struct QCryptoTLSSessionTestData name = { \
432 caCrt, caCrt, serverCrt, clientCrt, \
433 expectServerFail, expectClientFail, \
434 hostname, wildcards \
435 }; \
436 g_test_add_data_func("/qcrypto/tlssession/" # name, \
437 &name, test_crypto_tls_session_x509); \
438
439
440 # define TEST_SESS_REG_EXT(name, serverCaCrt, clientCaCrt, \
441 serverCrt, clientCrt, \
442 expectServerFail, expectClientFail, \
443 hostname, wildcards) \
444 struct QCryptoTLSSessionTestData name = { \
445 serverCaCrt, clientCaCrt, serverCrt, clientCrt, \
446 expectServerFail, expectClientFail, \
447 hostname, wildcards \
448 }; \
449 g_test_add_data_func("/qcrypto/tlssession/" # name, \
450 &name, test_crypto_tls_session_x509); \
451
452 /* A perfect CA, perfect client & perfect server */
453
454 /* Basic:CA:critical */
455 TLS_ROOT_REQ(cacertreq,
456 "UK", "qemu CA", NULL, NULL, NULL, NULL,
457 true, true, true,
458 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
459 false, false, NULL, NULL,
460 0, 0);
461
462 TLS_ROOT_REQ(altcacertreq,
463 "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
464 true, true, true,
465 false, false, 0,
466 false, false, NULL, NULL,
467 0, 0);
468
469 TLS_CERT_REQ(servercertreq, cacertreq,
470 "UK", "qemu.org", NULL, NULL, NULL, NULL,
471 true, true, false,
472 true, true,
473 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
474 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
475 0, 0);
476 TLS_CERT_REQ(clientcertreq, cacertreq,
477 "UK", "qemu", NULL, NULL, NULL, NULL,
478 true, true, false,
479 true, true,
480 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
481 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
482 0, 0);
483
484 TLS_CERT_REQ(clientcertaltreq, altcacertreq,
485 "UK", "qemu", NULL, NULL, NULL, NULL,
486 true, true, false,
487 true, true,
488 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
489 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
490 0, 0);
491
492 TEST_SESS_REG(basicca, cacertreq.filename,
493 servercertreq.filename, clientcertreq.filename,
494 false, false, "qemu.org", NULL);
495 TEST_SESS_REG_EXT(differentca, cacertreq.filename,
496 altcacertreq.filename, servercertreq.filename,
497 clientcertaltreq.filename, true, true, "qemu.org", NULL);
498
499
500 /* When an altname is set, the CN is ignored, so it must be duplicated
501 * as an altname for it to match */
502 TLS_CERT_REQ(servercertalt1req, cacertreq,
503 "UK", "qemu.org", "www.qemu.org", "qemu.org",
504 "192.168.122.1", "fec0::dead:beaf",
505 true, true, false,
506 true, true,
507 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
508 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
509 0, 0);
510 /* This intentionally doesn't replicate */
511 TLS_CERT_REQ(servercertalt2req, cacertreq,
512 "UK", "qemu.org", "www.qemu.org", "wiki.qemu.org",
513 "192.168.122.1", "fec0::dead:beaf",
514 true, true, false,
515 true, true,
516 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
517 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
518 0, 0);
519
520 TEST_SESS_REG(altname1, cacertreq.filename,
521 servercertalt1req.filename, clientcertreq.filename,
522 false, false, "qemu.org", NULL);
523 TEST_SESS_REG(altname2, cacertreq.filename,
524 servercertalt1req.filename, clientcertreq.filename,
525 false, false, "www.qemu.org", NULL);
526 TEST_SESS_REG(altname3, cacertreq.filename,
527 servercertalt1req.filename, clientcertreq.filename,
528 false, true, "wiki.qemu.org", NULL);
529
530 TEST_SESS_REG(altname4, cacertreq.filename,
531 servercertalt2req.filename, clientcertreq.filename,
532 false, true, "qemu.org", NULL);
533 TEST_SESS_REG(altname5, cacertreq.filename,
534 servercertalt2req.filename, clientcertreq.filename,
535 false, false, "www.qemu.org", NULL);
536 TEST_SESS_REG(altname6, cacertreq.filename,
537 servercertalt2req.filename, clientcertreq.filename,
538 false, false, "wiki.qemu.org", NULL);
539
540 const char *const wildcards1[] = {
541 "C=UK,CN=dogfood",
542 NULL,
543 };
544 const char *const wildcards2[] = {
545 "C=UK,CN=qemu",
546 NULL,
547 };
548 const char *const wildcards3[] = {
549 "C=UK,CN=dogfood",
550 "C=UK,CN=qemu",
551 NULL,
552 };
553 const char *const wildcards4[] = {
554 "C=UK,CN=qemustuff",
555 NULL,
556 };
557 const char *const wildcards5[] = {
558 "C=UK,CN=qemu*",
559 NULL,
560 };
561 const char *const wildcards6[] = {
562 "C=UK,CN=*emu*",
563 NULL,
564 };
565
566 TEST_SESS_REG(wildcard1, cacertreq.filename,
567 servercertreq.filename, clientcertreq.filename,
568 true, false, "qemu.org", wildcards1);
569 TEST_SESS_REG(wildcard2, cacertreq.filename,
570 servercertreq.filename, clientcertreq.filename,
571 false, false, "qemu.org", wildcards2);
572 TEST_SESS_REG(wildcard3, cacertreq.filename,
573 servercertreq.filename, clientcertreq.filename,
574 false, false, "qemu.org", wildcards3);
575 TEST_SESS_REG(wildcard4, cacertreq.filename,
576 servercertreq.filename, clientcertreq.filename,
577 true, false, "qemu.org", wildcards4);
578 TEST_SESS_REG(wildcard5, cacertreq.filename,
579 servercertreq.filename, clientcertreq.filename,
580 false, false, "qemu.org", wildcards5);
581 TEST_SESS_REG(wildcard6, cacertreq.filename,
582 servercertreq.filename, clientcertreq.filename,
583 false, false, "qemu.org", wildcards6);
584
585 TLS_ROOT_REQ(cacertrootreq,
586 "UK", "qemu root", NULL, NULL, NULL, NULL,
587 true, true, true,
588 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
589 false, false, NULL, NULL,
590 0, 0);
591 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
592 "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
593 true, true, true,
594 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
595 false, false, NULL, NULL,
596 0, 0);
597 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
598 "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
599 true, true, true,
600 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
601 false, false, NULL, NULL,
602 0, 0);
603 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
604 "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
605 true, true, true,
606 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
607 false, false, NULL, NULL,
608 0, 0);
609 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
610 "UK", "qemu.org", NULL, NULL, NULL, NULL,
611 true, true, false,
612 true, true,
613 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
614 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
615 0, 0);
616 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
617 "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
618 true, true, false,
619 true, true,
620 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
621 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
622 0, 0);
623
624 gnutls_x509_crt_t certchain[] = {
625 cacertrootreq.crt,
626 cacertlevel1areq.crt,
627 cacertlevel1breq.crt,
628 cacertlevel2areq.crt,
629 };
630
631 test_tls_write_cert_chain(WORKDIR "cacertchain-sess.pem",
632 certchain,
633 G_N_ELEMENTS(certchain));
634
635 TEST_SESS_REG(cachain, WORKDIR "cacertchain-sess.pem",
636 servercertlevel3areq.filename, clientcertlevel2breq.filename,
637 false, false, "qemu.org", NULL);
638
639 ret = g_test_run();
640
641 test_tls_discard_cert(&clientcertreq);
642 test_tls_discard_cert(&clientcertaltreq);
643
644 test_tls_discard_cert(&servercertreq);
645 test_tls_discard_cert(&servercertalt1req);
646 test_tls_discard_cert(&servercertalt2req);
647
648 test_tls_discard_cert(&cacertreq);
649 test_tls_discard_cert(&altcacertreq);
650
651 test_tls_discard_cert(&cacertrootreq);
652 test_tls_discard_cert(&cacertlevel1areq);
653 test_tls_discard_cert(&cacertlevel1breq);
654 test_tls_discard_cert(&cacertlevel2areq);
655 test_tls_discard_cert(&servercertlevel3areq);
656 test_tls_discard_cert(&clientcertlevel2breq);
657 unlink(WORKDIR "cacertchain-sess.pem");
658
659 test_tls_psk_cleanup(PSKFILE);
660 test_tls_cleanup(KEYFILE);
661 rmdir(WORKDIR);
662
663 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
664 }
665
666 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
667
668 int
669 main(void)
670 {
671 return EXIT_SUCCESS;
672 }
673
674 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
AR7 emulation for QEMU