[qemu.git] / tests / test-io-channel-tls.c

/*
 * QEMU I/O channel TLS test
 *
 * Copyright (C) 2015 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see
 * <http://www.gnu.org/licenses/>.
 *
 * Author: Daniel P. Berrange <[email protected]>
 */


#include "qemu/osdep.h"

#include "crypto-tls-x509-helpers.h"
#include "io/channel-tls.h"
#include "io/channel-socket.h"
#include "io-channel-helpers.h"
#include "crypto/init.h"
#include "crypto/tlscredsx509.h"
#include "qemu/acl.h"
#include "qapi/error.h"
#include "qom/object_interfaces.h"

#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT

#define WORKDIR "tests/test-io-channel-tls-work/"
#define KEYFILE WORKDIR "key-ctx.pem"

struct QIOChannelTLSTestData {
    const char *servercacrt;
    const char *clientcacrt;
    const char *servercrt;
    const char *clientcrt;
    bool expectServerFail;
    bool expectClientFail;
    const char *hostname;
    const char *const *wildcards;
};

struct QIOChannelTLSHandshakeData {
    bool finished;
    bool failed;
};

static void test_tls_handshake_done(QIOTask *task,
                                    gpointer opaque)
{
    struct QIOChannelTLSHandshakeData *data = opaque;

    data->finished = true;
    data->failed = qio_task_propagate_error(task, NULL);
}


static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
                                              const char *certdir)
{
    Object *parent = object_get_objects_root();
    Object *creds = object_new_with_props(
        TYPE_QCRYPTO_TLS_CREDS_X509,
        parent,
        (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
         "testtlscredsserver" : "testtlscredsclient"),
        &error_abort,
        "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
                     "server" : "client"),
        "dir", certdir,
        "verify-peer", "yes",
        "priority", "NORMAL",
        /* We skip initial sanity checks here because we
         * want to make sure that problems are being
         * detected at the TLS session validation stage,
         * and the test-crypto-tlscreds test already
         * validate the sanity check code.
         */
        "sanity-check", "no",
        NULL
        );

    return QCRYPTO_TLS_CREDS(creds);
}


/*
 * This tests validation checking of peer certificates
 *
 * This is replicating the checks that are done for an
 * active TLS session after handshake completes. To
 * simulate that we create our TLS contexts, skipping
 * sanity checks. When then get a socketpair, and
 * initiate a TLS session across them. Finally do
 * do actual cert validation tests
 */
static void test_io_channel_tls(const void *opaque)
{
    struct QIOChannelTLSTestData *data =
        (struct QIOChannelTLSTestData *)opaque;
    QCryptoTLSCreds *clientCreds;
    QCryptoTLSCreds *serverCreds;
    QIOChannelTLS *clientChanTLS;
    QIOChannelTLS *serverChanTLS;
    QIOChannelSocket *clientChanSock;
    QIOChannelSocket *serverChanSock;
    qemu_acl *acl;
    const char * const *wildcards;
    int channel[2];
    struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
    struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
    QIOChannelTest *test;
    GMainContext *mainloop;

    /* We'll use this for our fake client-server connection */
    g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);

#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
    mkdir(CLIENT_CERT_DIR, 0700);
    mkdir(SERVER_CERT_DIR, 0700);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    g_assert(link(data->servercacrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->servercrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
    g_assert(link(KEYFILE,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);

    g_assert(link(data->clientcacrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->clientcrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
    g_assert(link(KEYFILE,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);

    clientCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
        CLIENT_CERT_DIR);
    g_assert(clientCreds != NULL);

    serverCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
        SERVER_CERT_DIR);
    g_assert(serverCreds != NULL);

    acl = qemu_acl_init("channeltlsacl");
    qemu_acl_reset(acl);
    wildcards = data->wildcards;
    while (wildcards && *wildcards) {
        qemu_acl_append(acl, 0, *wildcards);
        wildcards++;
    }

    clientChanSock = qio_channel_socket_new_fd(
        channel[0], &error_abort);
    g_assert(clientChanSock != NULL);
    serverChanSock = qio_channel_socket_new_fd(
        channel[1], &error_abort);
    g_assert(serverChanSock != NULL);

    /*
     * We have an evil loop to do the handshake in a single
     * thread, so we need these non-blocking to avoid deadlock
     * of ourselves
     */
    qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
    qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);

    /* Now the real part of the test, setup the sessions */
    clientChanTLS = qio_channel_tls_new_client(
        QIO_CHANNEL(clientChanSock), clientCreds,
        data->hostname, &error_abort);
    g_assert(clientChanTLS != NULL);

    serverChanTLS = qio_channel_tls_new_server(
        QIO_CHANNEL(serverChanSock), serverCreds,
        "channeltlsacl", &error_abort);
    g_assert(serverChanTLS != NULL);

    qio_channel_tls_handshake(clientChanTLS,
                              test_tls_handshake_done,
                              &clientHandshake,
                              NULL,
                              NULL);
    qio_channel_tls_handshake(serverChanTLS,
                              test_tls_handshake_done,
                              &serverHandshake,
                              NULL,
                              NULL);

    /*
     * Finally we loop around & around doing handshake on each
     * session until we get an error, or the handshake completes.
     * This relies on the socketpair being nonblocking to avoid
     * deadlocking ourselves upon handshake
     */
    mainloop = g_main_context_default();
    do {
        g_main_context_iteration(mainloop, TRUE);
    } while (!clientHandshake.finished ||
             !serverHandshake.finished);

    g_assert(clientHandshake.failed == data->expectClientFail);
    g_assert(serverHandshake.failed == data->expectServerFail);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, false,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, true,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    rmdir(CLIENT_CERT_DIR);
    rmdir(SERVER_CERT_DIR);

    object_unparent(OBJECT(serverCreds));
    object_unparent(OBJECT(clientCreds));

    object_unref(OBJECT(serverChanTLS));
    object_unref(OBJECT(clientChanTLS));

    object_unref(OBJECT(serverChanSock));
    object_unref(OBJECT(clientChanSock));

    close(channel[0]);
    close(channel[1]);
}


int main(int argc, char **argv)
{
    int ret;

    g_assert(qcrypto_init(NULL) == 0);

    module_call_init(MODULE_INIT_QOM);
    g_test_init(&argc, &argv, NULL);
    setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);

    mkdir(WORKDIR, 0700);

    test_tls_init(KEYFILE);

# define TEST_CHANNEL(name, caCrt,                                      \
                      serverCrt, clientCrt,                             \
                      expectServerFail, expectClientFail,               \
                      hostname, wildcards)                              \
    struct QIOChannelTLSTestData name = {                               \
        caCrt, caCrt, serverCrt, clientCrt,                             \
        expectServerFail, expectClientFail,                             \
        hostname, wildcards                                             \
    };                                                                  \
    g_test_add_data_func("/qio/channel/tls/" # name,                    \
                         &name, test_io_channel_tls);

    /* A perfect CA, perfect client & perfect server */

    /* Basic:CA:critical */
    TLS_ROOT_REQ(cacertreq,
                 "UK", "qemu CA", NULL, NULL, NULL, NULL,
                 true, true, true,
                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
                 false, false, NULL, NULL,
                 0, 0);
    TLS_CERT_REQ(servercertreq, cacertreq,
                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
                 0, 0);
    TLS_CERT_REQ(clientcertreq, cacertreq,
                 "UK", "qemu", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
                 0, 0);

    const char *const wildcards[] = {
        "C=UK,CN=qemu*",
        NULL,
    };
    TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
                 clientcertreq.filename, false, false,
                 "qemu.org", wildcards);

    ret = g_test_run();

    test_tls_discard_cert(&clientcertreq);
    test_tls_discard_cert(&servercertreq);
    test_tls_discard_cert(&cacertreq);

    test_tls_cleanup(KEYFILE);
    rmdir(WORKDIR);

    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}

#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */

int
main(void)
{
    return EXIT_SUCCESS;
}

#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
Commit	Line	Data
ed8ee42c DB	1	/*
	2	* QEMU I/O channel TLS test
	3	*
	4	* Copyright (C) 2015 Red Hat, Inc.
	5	*
	6	* This library is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU Lesser General Public
	8	* License as published by the Free Software Foundation; either
	9	* version 2.1 of the License, or (at your option) any later version.
	10	*
	11	* This library is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* Lesser General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU Lesser General Public
	17	* License along with this library. If not, see
	18	* <http://www.gnu.org/licenses/>.
	19	*
	20	* Author: Daniel P. Berrange <[email protected]>
	21	*/
	22
	23
681c28a3	24	#include "qemu/osdep.h"
ed8ee42c	25
ed8ee42c DB	26	#include "crypto-tls-x509-helpers.h"
	27	#include "io/channel-tls.h"
	28	#include "io/channel-socket.h"
	29	#include "io-channel-helpers.h"
d26d6b5d	30	#include "crypto/init.h"
ed8ee42c DB	31	#include "crypto/tlscredsx509.h"
ed8ee42c DB	32	#include "qemu/acl.h"
68db1318	33	#include "qapi/error.h"
ed8ee42c DB	34	#include "qom/object_interfaces.h"
	35
	36	#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
	37
	38	#define WORKDIR "tests/test-io-channel-tls-work/"
	39	#define KEYFILE WORKDIR "key-ctx.pem"
	40
	41	struct QIOChannelTLSTestData {
	42	const char *servercacrt;
	43	const char *clientcacrt;
	44	const char *servercrt;
	45	const char *clientcrt;
	46	bool expectServerFail;
	47	bool expectClientFail;
	48	const char *hostname;
	49	const char const wildcards;
	50	};
	51
	52	struct QIOChannelTLSHandshakeData {
	53	bool finished;
	54	bool failed;
	55	};
	56
60e705c5	57	static void test_tls_handshake_done(QIOTask *task,
ed8ee42c DB	58	gpointer opaque)
	59	{
	60	struct QIOChannelTLSHandshakeData *data = opaque;
	61
	62	data->finished = true;
60e705c5	63	data->failed = qio_task_propagate_error(task, NULL);
ed8ee42c DB	64	}
	65
	66
	67	static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
68db1318	68	const char *certdir)
ed8ee42c DB	69	{
	70	Object *parent = object_get_objects_root();
	71	Object *creds = object_new_with_props(
	72	TYPE_QCRYPTO_TLS_CREDS_X509,
	73	parent,
	74	(endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	75	"testtlscredsserver" : "testtlscredsclient"),
68db1318	76	&error_abort,
ed8ee42c DB	77	"endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	78	"server" : "client"),
	79	"dir", certdir,
	80	"verify-peer", "yes",
057ad0b4	81	"priority", "NORMAL",
ed8ee42c DB	82	/* We skip initial sanity checks here because we
	83	* want to make sure that problems are being
	84	* detected at the TLS session validation stage,
	85	* and the test-crypto-tlscreds test already
	86	* validate the sanity check code.
	87	*/
	88	"sanity-check", "no",
	89	NULL
	90	);
	91
ed8ee42c DB	92	return QCRYPTO_TLS_CREDS(creds);
	93	}
	94
	95
	96	/*
	97	* This tests validation checking of peer certificates
	98	*
	99	* This is replicating the checks that are done for an
	100	* active TLS session after handshake completes. To
	101	* simulate that we create our TLS contexts, skipping
	102	* sanity checks. When then get a socketpair, and
	103	* initiate a TLS session across them. Finally do
	104	* do actual cert validation tests
	105	*/
	106	static void test_io_channel_tls(const void *opaque)
	107	{
	108	struct QIOChannelTLSTestData *data =
	109	(struct QIOChannelTLSTestData *)opaque;
	110	QCryptoTLSCreds *clientCreds;
	111	QCryptoTLSCreds *serverCreds;
	112	QIOChannelTLS *clientChanTLS;
	113	QIOChannelTLS *serverChanTLS;
	114	QIOChannelSocket *clientChanSock;
	115	QIOChannelSocket *serverChanSock;
	116	qemu_acl *acl;
	117	const char * const *wildcards;
	118	int channel[2];
	119	struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
	120	struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
ed8ee42c DB	121	QIOChannelTest *test;
	122	GMainContext *mainloop;
	123
	124	/* We'll use this for our fake client-server connection */
	125	g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
	126
d4adf967 DB	127	#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
d4adf967 DB	128	#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
ed8ee42c DB	129	mkdir(CLIENT_CERT_DIR, 0700);
	130	mkdir(SERVER_CERT_DIR, 0700);
	131
	132	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	133	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
	134	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
	135
	136	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	137	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
	138	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
	139
	140	g_assert(link(data->servercacrt,
	141	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
	142	g_assert(link(data->servercrt,
	143	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
	144	g_assert(link(KEYFILE,
	145	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
	146
	147	g_assert(link(data->clientcacrt,
	148	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
	149	g_assert(link(data->clientcrt,
	150	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
	151	g_assert(link(KEYFILE,
	152	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
	153
	154	clientCreds = test_tls_creds_create(
	155	QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318	156	CLIENT_CERT_DIR);
ed8ee42c DB	157	g_assert(clientCreds != NULL);
	158
	159	serverCreds = test_tls_creds_create(
	160	QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318	161	SERVER_CERT_DIR);
ed8ee42c DB	162	g_assert(serverCreds != NULL);
	163
	164	acl = qemu_acl_init("channeltlsacl");
	165	qemu_acl_reset(acl);
	166	wildcards = data->wildcards;
	167	while (wildcards && *wildcards) {
	168	qemu_acl_append(acl, 0, *wildcards);
	169	wildcards++;
	170	}
	171
	172	clientChanSock = qio_channel_socket_new_fd(
68db1318	173	channel[0], &error_abort);
ed8ee42c DB	174	g_assert(clientChanSock != NULL);
ed8ee42c DB	175	serverChanSock = qio_channel_socket_new_fd(
68db1318	176	channel[1], &error_abort);
ed8ee42c DB	177	g_assert(serverChanSock != NULL);
	178
	179	/*
	180	* We have an evil loop to do the handshake in a single
	181	* thread, so we need these non-blocking to avoid deadlock
	182	* of ourselves
	183	*/
	184	qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
	185	qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
	186
	187	/* Now the real part of the test, setup the sessions */
	188	clientChanTLS = qio_channel_tls_new_client(
	189	QIO_CHANNEL(clientChanSock), clientCreds,
68db1318	190	data->hostname, &error_abort);
ed8ee42c DB	191	g_assert(clientChanTLS != NULL);
	192
	193	serverChanTLS = qio_channel_tls_new_server(
	194	QIO_CHANNEL(serverChanSock), serverCreds,
68db1318	195	"channeltlsacl", &error_abort);
ed8ee42c DB	196	g_assert(serverChanTLS != NULL);
	197
	198	qio_channel_tls_handshake(clientChanTLS,
	199	test_tls_handshake_done,
	200	&clientHandshake,
1939ccda	201	NULL,
ed8ee42c DB	202	NULL);
	203	qio_channel_tls_handshake(serverChanTLS,
	204	test_tls_handshake_done,
	205	&serverHandshake,
1939ccda	206	NULL,
ed8ee42c DB	207	NULL);
	208
	209	/*
	210	* Finally we loop around & around doing handshake on each
	211	* session until we get an error, or the handshake completes.
	212	* This relies on the socketpair being nonblocking to avoid
	213	* deadlocking ourselves upon handshake
	214	*/
	215	mainloop = g_main_context_default();
	216	do {
	217	g_main_context_iteration(mainloop, TRUE);
689ed13e	218	} while (!clientHandshake.finished \|\|
ed8ee42c DB	219	!serverHandshake.finished);
	220
	221	g_assert(clientHandshake.failed == data->expectClientFail);
	222	g_assert(serverHandshake.failed == data->expectServerFail);
	223
	224	test = qio_channel_test_new();
	225	qio_channel_test_run_threads(test, false,
	226	QIO_CHANNEL(clientChanTLS),
	227	QIO_CHANNEL(serverChanTLS));
	228	qio_channel_test_validate(test);
	229
	230	test = qio_channel_test_new();
	231	qio_channel_test_run_threads(test, true,
	232	QIO_CHANNEL(clientChanTLS),
	233	QIO_CHANNEL(serverChanTLS));
	234	qio_channel_test_validate(test);
	235
	236	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	237	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
	238	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
	239
	240	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	241	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
	242	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
	243
	244	rmdir(CLIENT_CERT_DIR);
	245	rmdir(SERVER_CERT_DIR);
	246
	247	object_unparent(OBJECT(serverCreds));
	248	object_unparent(OBJECT(clientCreds));
	249
	250	object_unref(OBJECT(serverChanTLS));
	251	object_unref(OBJECT(clientChanTLS));
	252
	253	object_unref(OBJECT(serverChanSock));
	254	object_unref(OBJECT(clientChanSock));
	255
	256	close(channel[0]);
	257	close(channel[1]);
	258	}
	259
	260
	261	int main(int argc, char **argv)
	262	{
	263	int ret;
	264
d26d6b5d DB	265	g_assert(qcrypto_init(NULL) == 0);
d26d6b5d DB	266
ed8ee42c DB	267	module_call_init(MODULE_INIT_QOM);
	268	g_test_init(&argc, &argv, NULL);
	269	setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
	270
	271	mkdir(WORKDIR, 0700);
	272
	273	test_tls_init(KEYFILE);
	274
	275	# define TEST_CHANNEL(name, caCrt, \
	276	serverCrt, clientCrt, \
	277	expectServerFail, expectClientFail, \
	278	hostname, wildcards) \
	279	struct QIOChannelTLSTestData name = { \
	280	caCrt, caCrt, serverCrt, clientCrt, \
	281	expectServerFail, expectClientFail, \
	282	hostname, wildcards \
	283	}; \
	284	g_test_add_data_func("/qio/channel/tls/" # name, \
	285	&name, test_io_channel_tls);
	286
	287	/* A perfect CA, perfect client & perfect server */
	288
	289	/* Basic:CA:critical */
	290	TLS_ROOT_REQ(cacertreq,
	291	"UK", "qemu CA", NULL, NULL, NULL, NULL,
	292	true, true, true,
	293	true, true, GNUTLS_KEY_KEY_CERT_SIGN,
	294	false, false, NULL, NULL,
	295	0, 0);
	296	TLS_CERT_REQ(servercertreq, cacertreq,
	297	"UK", "qemu.org", NULL, NULL, NULL, NULL,
	298	true, true, false,
	299	true, true,
	300	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	301	true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
	302	0, 0);
	303	TLS_CERT_REQ(clientcertreq, cacertreq,
	304	"UK", "qemu", NULL, NULL, NULL, NULL,
	305	true, true, false,
	306	true, true,
	307	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	308	true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
	309	0, 0);
	310
	311	const char *const wildcards[] = {
	312	"C=UK,CN=qemu*",
	313	NULL,
	314	};
	315	TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
	316	clientcertreq.filename, false, false,
	317	"qemu.org", wildcards);
	318
	319	ret = g_test_run();
	320
	321	test_tls_discard_cert(&clientcertreq);
	322	test_tls_discard_cert(&servercertreq);
	323	test_tls_discard_cert(&cacertreq);
	324
	325	test_tls_cleanup(KEYFILE);
	326	rmdir(WORKDIR);
	327
	328	return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
	329	}
	330
331	#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
332
333	int
334	main(void)
335	{
336	return EXIT_SUCCESS;
337	}
338
339	#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */