[qemu.git] / tests / test-io-channel-tls.c

/*
 * QEMU I/O channel TLS test
 *
 * Copyright (C) 2015 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see
 * <http://www.gnu.org/licenses/>.
 *
 * Author: Daniel P. Berrange <[email protected]>
 */


#include "qemu/osdep.h"

#include "crypto-tls-x509-helpers.h"
#include "io/channel-tls.h"
#include "io/channel-socket.h"
#include "io-channel-helpers.h"
#include "crypto/init.h"
#include "crypto/tlscredsx509.h"
#include "qemu/acl.h"
#include "qom/object_interfaces.h"

#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT

#define WORKDIR "tests/test-io-channel-tls-work/"
#define KEYFILE WORKDIR "key-ctx.pem"

struct QIOChannelTLSTestData {
    const char *servercacrt;
    const char *clientcacrt;
    const char *servercrt;
    const char *clientcrt;
    bool expectServerFail;
    bool expectClientFail;
    const char *hostname;
    const char *const *wildcards;
};

struct QIOChannelTLSHandshakeData {
    bool finished;
    bool failed;
};

static void test_tls_handshake_done(QIOTask *task,
                                    gpointer opaque)
{
    struct QIOChannelTLSHandshakeData *data = opaque;

    data->finished = true;
    data->failed = qio_task_propagate_error(task, NULL);
}


static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
                                              const char *certdir,
                                              Error **errp)
{
    Object *parent = object_get_objects_root();
    Object *creds = object_new_with_props(
        TYPE_QCRYPTO_TLS_CREDS_X509,
        parent,
        (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
         "testtlscredsserver" : "testtlscredsclient"),
        errp,
        "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
                     "server" : "client"),
        "dir", certdir,
        "verify-peer", "yes",
        /* We skip initial sanity checks here because we
         * want to make sure that problems are being
         * detected at the TLS session validation stage,
         * and the test-crypto-tlscreds test already
         * validate the sanity check code.
         */
        "sanity-check", "no",
        NULL
        );

    if (*errp) {
        return NULL;
    }
    return QCRYPTO_TLS_CREDS(creds);
}


/*
 * This tests validation checking of peer certificates
 *
 * This is replicating the checks that are done for an
 * active TLS session after handshake completes. To
 * simulate that we create our TLS contexts, skipping
 * sanity checks. When then get a socketpair, and
 * initiate a TLS session across them. Finally do
 * do actual cert validation tests
 */
static void test_io_channel_tls(const void *opaque)
{
    struct QIOChannelTLSTestData *data =
        (struct QIOChannelTLSTestData *)opaque;
    QCryptoTLSCreds *clientCreds;
    QCryptoTLSCreds *serverCreds;
    QIOChannelTLS *clientChanTLS;
    QIOChannelTLS *serverChanTLS;
    QIOChannelSocket *clientChanSock;
    QIOChannelSocket *serverChanSock;
    qemu_acl *acl;
    const char * const *wildcards;
    int channel[2];
    struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
    struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
    Error *err = NULL;
    QIOChannelTest *test;
    GMainContext *mainloop;

    /* We'll use this for our fake client-server connection */
    g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);

#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
    mkdir(CLIENT_CERT_DIR, 0700);
    mkdir(SERVER_CERT_DIR, 0700);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    g_assert(link(data->servercacrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->servercrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
    g_assert(link(KEYFILE,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);

    g_assert(link(data->clientcacrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->clientcrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
    g_assert(link(KEYFILE,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);

    clientCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
        CLIENT_CERT_DIR,
        &err);
    g_assert(clientCreds != NULL);

    serverCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
        SERVER_CERT_DIR,
        &err);
    g_assert(serverCreds != NULL);

    acl = qemu_acl_init("channeltlsacl");
    qemu_acl_reset(acl);
    wildcards = data->wildcards;
    while (wildcards && *wildcards) {
        qemu_acl_append(acl, 0, *wildcards);
        wildcards++;
    }

    clientChanSock = qio_channel_socket_new_fd(
        channel[0], &err);
    g_assert(clientChanSock != NULL);
    serverChanSock = qio_channel_socket_new_fd(
        channel[1], &err);
    g_assert(serverChanSock != NULL);

    /*
     * We have an evil loop to do the handshake in a single
     * thread, so we need these non-blocking to avoid deadlock
     * of ourselves
     */
    qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
    qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);

    /* Now the real part of the test, setup the sessions */
    clientChanTLS = qio_channel_tls_new_client(
        QIO_CHANNEL(clientChanSock), clientCreds,
        data->hostname, &err);
    g_assert(clientChanTLS != NULL);

    serverChanTLS = qio_channel_tls_new_server(
        QIO_CHANNEL(serverChanSock), serverCreds,
        "channeltlsacl", &err);
    g_assert(serverChanTLS != NULL);

    qio_channel_tls_handshake(clientChanTLS,
                              test_tls_handshake_done,
                              &clientHandshake,
                              NULL);
    qio_channel_tls_handshake(serverChanTLS,
                              test_tls_handshake_done,
                              &serverHandshake,
                              NULL);

    /*
     * Finally we loop around & around doing handshake on each
     * session until we get an error, or the handshake completes.
     * This relies on the socketpair being nonblocking to avoid
     * deadlocking ourselves upon handshake
     */
    mainloop = g_main_context_default();
    do {
        g_main_context_iteration(mainloop, TRUE);
    } while (!clientHandshake.finished &&
             !serverHandshake.finished);

    g_assert(clientHandshake.failed == data->expectClientFail);
    g_assert(serverHandshake.failed == data->expectServerFail);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, false,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, true,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    rmdir(CLIENT_CERT_DIR);
    rmdir(SERVER_CERT_DIR);

    object_unparent(OBJECT(serverCreds));
    object_unparent(OBJECT(clientCreds));

    object_unref(OBJECT(serverChanTLS));
    object_unref(OBJECT(clientChanTLS));

    object_unref(OBJECT(serverChanSock));
    object_unref(OBJECT(clientChanSock));

    close(channel[0]);
    close(channel[1]);
}


int main(int argc, char **argv)
{
    int ret;

    g_assert(qcrypto_init(NULL) == 0);

    module_call_init(MODULE_INIT_QOM);
    g_test_init(&argc, &argv, NULL);
    setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);

    mkdir(WORKDIR, 0700);

    test_tls_init(KEYFILE);

# define TEST_CHANNEL(name, caCrt,                                      \
                      serverCrt, clientCrt,                             \
                      expectServerFail, expectClientFail,               \
                      hostname, wildcards)                              \
    struct QIOChannelTLSTestData name = {                               \
        caCrt, caCrt, serverCrt, clientCrt,                             \
        expectServerFail, expectClientFail,                             \
        hostname, wildcards                                             \
    };                                                                  \
    g_test_add_data_func("/qio/channel/tls/" # name,                    \
                         &name, test_io_channel_tls);

    /* A perfect CA, perfect client & perfect server */

    /* Basic:CA:critical */
    TLS_ROOT_REQ(cacertreq,
                 "UK", "qemu CA", NULL, NULL, NULL, NULL,
                 true, true, true,
                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
                 false, false, NULL, NULL,
                 0, 0);
    TLS_CERT_REQ(servercertreq, cacertreq,
                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
                 0, 0);
    TLS_CERT_REQ(clientcertreq, cacertreq,
                 "UK", "qemu", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
                 0, 0);

    const char *const wildcards[] = {
        "C=UK,CN=qemu*",
        NULL,
    };
    TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
                 clientcertreq.filename, false, false,
                 "qemu.org", wildcards);

    ret = g_test_run();

    test_tls_discard_cert(&clientcertreq);
    test_tls_discard_cert(&servercertreq);
    test_tls_discard_cert(&cacertreq);

    test_tls_cleanup(KEYFILE);
    rmdir(WORKDIR);

    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}

#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */

int
main(void)
{
    return EXIT_SUCCESS;
}

#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
Commit	Line	Data
ed8ee42c DB	1	/*
	2	* QEMU I/O channel TLS test
	3	*
	4	* Copyright (C) 2015 Red Hat, Inc.
	5	*
	6	* This library is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU Lesser General Public
	8	* License as published by the Free Software Foundation; either
	9	* version 2.1 of the License, or (at your option) any later version.
	10	*
	11	* This library is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* Lesser General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU Lesser General Public
	17	* License along with this library. If not, see
	18	* <http://www.gnu.org/licenses/>.
	19	*
	20	* Author: Daniel P. Berrange <[email protected]>
	21	*/
	22
	23
681c28a3	24	#include "qemu/osdep.h"
ed8ee42c	25
ed8ee42c DB	26	#include "crypto-tls-x509-helpers.h"
	27	#include "io/channel-tls.h"
	28	#include "io/channel-socket.h"
	29	#include "io-channel-helpers.h"
d26d6b5d	30	#include "crypto/init.h"
ed8ee42c DB	31	#include "crypto/tlscredsx509.h"
	32	#include "qemu/acl.h"
	33	#include "qom/object_interfaces.h"
	34
	35	#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
	36
	37	#define WORKDIR "tests/test-io-channel-tls-work/"
	38	#define KEYFILE WORKDIR "key-ctx.pem"
	39
	40	struct QIOChannelTLSTestData {
	41	const char *servercacrt;
	42	const char *clientcacrt;
	43	const char *servercrt;
	44	const char *clientcrt;
	45	bool expectServerFail;
	46	bool expectClientFail;
	47	const char *hostname;
	48	const char const wildcards;
	49	};
	50
	51	struct QIOChannelTLSHandshakeData {
	52	bool finished;
	53	bool failed;
	54	};
	55
60e705c5	56	static void test_tls_handshake_done(QIOTask *task,
ed8ee42c DB	57	gpointer opaque)
	58	{
	59	struct QIOChannelTLSHandshakeData *data = opaque;
	60
	61	data->finished = true;
60e705c5	62	data->failed = qio_task_propagate_error(task, NULL);
ed8ee42c DB	63	}
	64
	65
	66	static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
	67	const char *certdir,
	68	Error **errp)
	69	{
	70	Object *parent = object_get_objects_root();
	71	Object *creds = object_new_with_props(
	72	TYPE_QCRYPTO_TLS_CREDS_X509,
	73	parent,
	74	(endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	75	"testtlscredsserver" : "testtlscredsclient"),
	76	errp,
	77	"endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	78	"server" : "client"),
	79	"dir", certdir,
	80	"verify-peer", "yes",
	81	/* We skip initial sanity checks here because we
	82	* want to make sure that problems are being
	83	* detected at the TLS session validation stage,
	84	* and the test-crypto-tlscreds test already
	85	* validate the sanity check code.
	86	*/
	87	"sanity-check", "no",
	88	NULL
	89	);
	90
	91	if (*errp) {
	92	return NULL;
	93	}
	94	return QCRYPTO_TLS_CREDS(creds);
	95	}
	96
	97
	98	/*
	99	* This tests validation checking of peer certificates
	100	*
	101	* This is replicating the checks that are done for an
	102	* active TLS session after handshake completes. To
	103	* simulate that we create our TLS contexts, skipping
	104	* sanity checks. When then get a socketpair, and
	105	* initiate a TLS session across them. Finally do
	106	* do actual cert validation tests
	107	*/
	108	static void test_io_channel_tls(const void *opaque)
	109	{
	110	struct QIOChannelTLSTestData *data =
	111	(struct QIOChannelTLSTestData *)opaque;
	112	QCryptoTLSCreds *clientCreds;
	113	QCryptoTLSCreds *serverCreds;
	114	QIOChannelTLS *clientChanTLS;
	115	QIOChannelTLS *serverChanTLS;
	116	QIOChannelSocket *clientChanSock;
	117	QIOChannelSocket *serverChanSock;
	118	qemu_acl *acl;
	119	const char * const *wildcards;
	120	int channel[2];
	121	struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
	122	struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
	123	Error *err = NULL;
	124	QIOChannelTest *test;
	125	GMainContext *mainloop;
	126
127	/* We'll use this for our fake client-server connection */
128	g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
129
130	#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
131	#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
132	mkdir(CLIENT_CERT_DIR, 0700);
133	mkdir(SERVER_CERT_DIR, 0700);
134
135	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
136	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
137	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
138
139	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
140	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
141	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
142
143	g_assert(link(data->servercacrt,
144	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
145	g_assert(link(data->servercrt,
146	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
147	g_assert(link(KEYFILE,
148	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
149
150	g_assert(link(data->clientcacrt,
151	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
152	g_assert(link(data->clientcrt,
153	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
154	g_assert(link(KEYFILE,
155	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
156
157	clientCreds = test_tls_creds_create(
158	QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
159	CLIENT_CERT_DIR,
160	&err);
161	g_assert(clientCreds != NULL);
162
163	serverCreds = test_tls_creds_create(
164	QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
165	SERVER_CERT_DIR,
166	&err);
167	g_assert(serverCreds != NULL);
168
169	acl = qemu_acl_init("channeltlsacl");
170	qemu_acl_reset(acl);
171	wildcards = data->wildcards;
172	while (wildcards && *wildcards) {
173	qemu_acl_append(acl, 0, *wildcards);
174	wildcards++;
175	}
176
177	clientChanSock = qio_channel_socket_new_fd(
178	channel[0], &err);
179	g_assert(clientChanSock != NULL);
180	serverChanSock = qio_channel_socket_new_fd(
181	channel[1], &err);
182	g_assert(serverChanSock != NULL);
183
184	/*
185	* We have an evil loop to do the handshake in a single
186	* thread, so we need these non-blocking to avoid deadlock
187	* of ourselves
188	*/
189	qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
190	qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
191
192	/* Now the real part of the test, setup the sessions */
193	clientChanTLS = qio_channel_tls_new_client(
194	QIO_CHANNEL(clientChanSock), clientCreds,
195	data->hostname, &err);
196	g_assert(clientChanTLS != NULL);
197
198	serverChanTLS = qio_channel_tls_new_server(
199	QIO_CHANNEL(serverChanSock), serverCreds,
200	"channeltlsacl", &err);
201	g_assert(serverChanTLS != NULL);
202
203	qio_channel_tls_handshake(clientChanTLS,
204	test_tls_handshake_done,
205	&clientHandshake,
206	NULL);
207	qio_channel_tls_handshake(serverChanTLS,
208	test_tls_handshake_done,
209	&serverHandshake,
210	NULL);
211
212	/*
213	* Finally we loop around & around doing handshake on each
214	* session until we get an error, or the handshake completes.
215	* This relies on the socketpair being nonblocking to avoid
216	* deadlocking ourselves upon handshake
217	*/
218	mainloop = g_main_context_default();
219	do {
220	g_main_context_iteration(mainloop, TRUE);
221	} while (!clientHandshake.finished &&
222	!serverHandshake.finished);
223
224	g_assert(clientHandshake.failed == data->expectClientFail);
225	g_assert(serverHandshake.failed == data->expectServerFail);
226
227	test = qio_channel_test_new();
228	qio_channel_test_run_threads(test, false,
229	QIO_CHANNEL(clientChanTLS),
230	QIO_CHANNEL(serverChanTLS));
231	qio_channel_test_validate(test);
232
233	test = qio_channel_test_new();
234	qio_channel_test_run_threads(test, true,
235	QIO_CHANNEL(clientChanTLS),
236	QIO_CHANNEL(serverChanTLS));
237	qio_channel_test_validate(test);
238
239	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
240	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
241	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
242
243	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
244	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
245	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
246
247	rmdir(CLIENT_CERT_DIR);
248	rmdir(SERVER_CERT_DIR);
249
250	object_unparent(OBJECT(serverCreds));
251	object_unparent(OBJECT(clientCreds));
252
253	object_unref(OBJECT(serverChanTLS));
254	object_unref(OBJECT(clientChanTLS));
255
256	object_unref(OBJECT(serverChanSock));
257	object_unref(OBJECT(clientChanSock));
258
259	close(channel[0]);
260	close(channel[1]);
261	}
262
263
264	int main(int argc, char **argv)
265	{
266	int ret;
267
d26d6b5d DB	268	g_assert(qcrypto_init(NULL) == 0);
d26d6b5d DB	269
ed8ee42c DB	270	module_call_init(MODULE_INIT_QOM);
	271	g_test_init(&argc, &argv, NULL);
	272	setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
	273
	274	mkdir(WORKDIR, 0700);
	275
	276	test_tls_init(KEYFILE);
	277
	278	# define TEST_CHANNEL(name, caCrt, \
	279	serverCrt, clientCrt, \
	280	expectServerFail, expectClientFail, \
	281	hostname, wildcards) \
	282	struct QIOChannelTLSTestData name = { \
	283	caCrt, caCrt, serverCrt, clientCrt, \
	284	expectServerFail, expectClientFail, \
	285	hostname, wildcards \
	286	}; \
	287	g_test_add_data_func("/qio/channel/tls/" # name, \
	288	&name, test_io_channel_tls);
	289
	290	/* A perfect CA, perfect client & perfect server */
	291
	292	/* Basic:CA:critical */
	293	TLS_ROOT_REQ(cacertreq,
	294	"UK", "qemu CA", NULL, NULL, NULL, NULL,
	295	true, true, true,
	296	true, true, GNUTLS_KEY_KEY_CERT_SIGN,
	297	false, false, NULL, NULL,
	298	0, 0);
	299	TLS_CERT_REQ(servercertreq, cacertreq,
	300	"UK", "qemu.org", NULL, NULL, NULL, NULL,
	301	true, true, false,
	302	true, true,
	303	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	304	true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
	305	0, 0);
	306	TLS_CERT_REQ(clientcertreq, cacertreq,
	307	"UK", "qemu", NULL, NULL, NULL, NULL,
	308	true, true, false,
	309	true, true,
	310	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	311	true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
	312	0, 0);
	313
	314	const char *const wildcards[] = {
	315	"C=UK,CN=qemu*",
	316	NULL,
	317	};
	318	TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
	319	clientcertreq.filename, false, false,
	320	"qemu.org", wildcards);
	321
	322	ret = g_test_run();
	323
	324	test_tls_discard_cert(&clientcertreq);
	325	test_tls_discard_cert(&servercertreq);
	326	test_tls_discard_cert(&cacertreq);
	327
	328	test_tls_cleanup(KEYFILE);
	329	rmdir(WORKDIR);
	330
	331	return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
	332	}
	333
334	#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
335
336	int
337	main(void)
338	{
339	return EXIT_SUCCESS;
340	}
341
342	#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */