2011-07-20 22:04:18 +04:00
/*
2014-03-17 13:38:38 +04:00
* Copyright ( C ) 2011 - 2014 Red Hat , Inc .
2011-07-20 22:04:18 +04:00
*
* This library is free software ; you can redistribute it and / or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation ; either
* version 2.1 of the License , or ( at your option ) any later version .
*
* This library is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
* Lesser General Public License for more details .
*
* You should have received a copy of the GNU Lesser General Public
2012-09-21 02:30:55 +04:00
* License along with this library . If not , see
2012-07-21 14:06:23 +04:00
* < http : //www.gnu.org/licenses/>.
2011-07-20 22:04:18 +04:00
*/
# include <config.h>
# include <fcntl.h>
# include <sys/socket.h>
# include "testutils.h"
2013-08-05 19:49:24 +04:00
# include "virnettlshelpers.h"
2012-12-13 21:44:57 +04:00
# include "virutil.h"
2012-12-13 22:21:53 +04:00
# include "virerror.h"
2012-12-12 22:06:53 +04:00
# include "viralloc.h"
2012-12-12 21:59:27 +04:00
# include "virlog.h"
2011-07-20 22:04:18 +04:00
# include "virfile.h"
2012-12-12 20:27:01 +04:00
# include "vircommand.h"
Split src/util/network.{c,h} into 5 pieces
The src/util/network.c file is a dumping ground for many different
APIs. Split it up into 5 pieces, along functional lines
- src/util/virnetdevbandwidth.c: virNetDevBandwidth type & helper APIs
- src/util/virnetdevvportprofile.c: virNetDevVPortProfile type & helper APIs
- src/util/virsocketaddr.c: virSocketAddr and APIs
- src/conf/netdev_bandwidth_conf.c: XML parsing / formatting
for virNetDevBandwidth
- src/conf/netdev_vport_profile_conf.c: XML parsing / formatting
for virNetDevVPortProfile
* src/util/network.c, src/util/network.h: Split into 5 pieces
* src/conf/netdev_bandwidth_conf.c, src/conf/netdev_bandwidth_conf.h,
src/conf/netdev_vport_profile_conf.c, src/conf/netdev_vport_profile_conf.h,
src/util/virnetdevbandwidth.c, src/util/virnetdevbandwidth.h,
src/util/virnetdevvportprofile.c, src/util/virnetdevvportprofile.h,
src/util/virsocketaddr.c, src/util/virsocketaddr.h: New pieces
* daemon/libvirtd.h, daemon/remote.c, src/conf/domain_conf.c,
src/conf/domain_conf.h, src/conf/network_conf.c,
src/conf/network_conf.h, src/conf/nwfilter_conf.h,
src/esx/esx_util.h, src/network/bridge_driver.c,
src/qemu/qemu_conf.c, src/rpc/virnetsocket.c,
src/rpc/virnetsocket.h, src/util/dnsmasq.h, src/util/interface.h,
src/util/iptables.h, src/util/macvtap.c, src/util/macvtap.h,
src/util/virnetdev.h, src/util/virnetdevtap.c,
tools/virsh.c: Update include files
2011-11-02 19:40:08 +04:00
# include "virsocketaddr.h"
2011-07-20 22:04:18 +04:00
2012-01-30 21:44:13 +04:00
# if !defined WIN32 && HAVE_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600
2011-07-20 22:04:18 +04:00
# include "rpc / virnettlscontext.h"
# define VIR_FROM_THIS VIR_FROM_RPC
2014-02-28 16:16:17 +04:00
VIR_LOG_INIT ( " tests.nettlscontexttest " ) ;
2013-08-09 02:08:25 +04:00
# define KEYFILE "key-ctx.pem"
2011-07-20 22:04:18 +04:00
struct testTLSContextData {
bool isServer ;
2013-08-06 14:35:49 +04:00
const char * cacrt ;
const char * crt ;
2011-07-20 22:04:18 +04:00
bool expectFail ;
} ;
/*
* This tests sanity checking of our own certificates
*
* This code is done when libvirtd starts up , or before
* a libvirt client connects . The test is ensuring that
* the creation of virNetTLSContextPtr fails if we
2012-10-11 20:31:20 +04:00
* give bogus certs , or succeeds for good certs
2011-07-20 22:04:18 +04:00
*/
static int testTLSContextInit ( const void * opaque )
{
struct testTLSContextData * data = ( struct testTLSContextData * ) opaque ;
virNetTLSContextPtr ctxt = NULL ;
int ret = - 1 ;
if ( data - > isServer ) {
2013-08-06 14:35:49 +04:00
ctxt = virNetTLSContextNewServer ( data - > cacrt ,
2011-07-20 22:04:18 +04:00
NULL ,
2013-08-06 14:35:49 +04:00
data - > crt ,
2013-08-09 02:08:25 +04:00
KEYFILE ,
2011-07-20 22:04:18 +04:00
NULL ,
2018-03-05 15:46:16 +03:00
" NORMAL " ,
2011-07-20 22:04:18 +04:00
true ,
true ) ;
} else {
2013-08-06 14:35:49 +04:00
ctxt = virNetTLSContextNewClient ( data - > cacrt ,
2011-07-20 22:04:18 +04:00
NULL ,
2013-08-06 14:35:49 +04:00
data - > crt ,
2013-08-09 02:08:25 +04:00
KEYFILE ,
2018-03-05 15:46:16 +03:00
" NORMAL " ,
2011-07-20 22:04:18 +04:00
true ,
true ) ;
}
if ( ctxt ) {
if ( data - > expectFail ) {
VIR_WARN ( " Expected failure %s against %s " ,
2013-08-06 14:35:49 +04:00
data - > cacrt , data - > crt ) ;
2011-07-20 22:04:18 +04:00
goto cleanup ;
}
} else {
if ( ! data - > expectFail ) {
VIR_WARN ( " Unexpected failure %s against %s " ,
2013-08-06 14:35:49 +04:00
data - > cacrt , data - > crt ) ;
2011-07-20 22:04:18 +04:00
goto cleanup ;
}
2016-03-18 23:58:02 +03:00
VIR_DEBUG ( " Got error %s " , virGetLastErrorMessage ( ) ) ;
2011-07-20 22:04:18 +04:00
}
ret = 0 ;
2014-03-25 10:53:44 +04:00
cleanup :
2012-07-11 17:35:48 +04:00
virObjectUnref ( ctxt ) ;
2011-07-20 22:04:18 +04:00
return ret ;
}
static int
mymain ( void )
{
int ret = 0 ;
2014-09-04 13:23:16 +04:00
setenv ( " GNUTLS_FORCE_FIPS_MODE " , " 2 " , 1 ) ;
2013-08-09 02:08:25 +04:00
testTLSInit ( KEYFILE ) ;
2011-07-20 22:04:18 +04:00
2017-11-03 15:09:47 +03:00
# define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \
do { \
static struct testTLSContextData data ; \
data . isServer = _isServer ; \
data . cacrt = _caCrt ; \
data . crt = _crt ; \
data . expectFail = _expectFail ; \
if ( virTestRun ( " TLS Context " # _caCrt " + " # _crt , \
testTLSContextInit , & data ) < 0 ) \
ret = - 1 ; \
2011-07-20 22:04:18 +04:00
} while ( 0 )
2017-11-03 15:09:47 +03:00
# define TLS_CERT_REQ(varname, cavarname, \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo ) \
static struct testTLSCertReq varname = { \
NULL , # varname " -ctx.pem " , \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo \
} ; \
2013-08-05 20:08:17 +04:00
testTLSGenerateCert ( & varname , cavarname . crt )
2017-11-03 15:09:47 +03:00
# define TLS_ROOT_REQ(varname, \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo ) \
static struct testTLSCertReq varname = { \
NULL , # varname " -ctx.pem " , \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo \
} ; \
2013-08-05 20:08:17 +04:00
testTLSGenerateCert ( & varname , NULL )
2011-07-20 22:04:18 +04:00
/* A perfect CA, perfect client & perfect server */
/* Basic:CA:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacertreq ,
" UK " , " libvirt CA " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertreq , cacertreq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( clientcertreq , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertreq . filename , servercertreq . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertreq . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Some other CAs which are good */
/* Basic:CA:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert1req ,
" UK " , " libvirt CA 1 " , NULL , NULL , NULL , NULL ,
true , true , true ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert1req , cacert1req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* Basic:CA:not-critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert2req ,
" UK " , " libvirt CA 2 " , NULL , NULL , NULL , NULL ,
true , false , true ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert2req , cacert2req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2013-08-05 19:49:24 +04:00
/* Key usage:cert-sign:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert3req ,
" UK " , " libvirt CA 3 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert3req , cacert3req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacert1req . filename , servercert1req . filename , false ) ;
DO_CTX_TEST ( true , cacert2req . filename , servercert2req . filename , false ) ;
DO_CTX_TEST ( true , cacert3req . filename , servercert3req . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Now some bad certs */
2013-03-04 21:27:38 +04:00
/* Key usage:dig-sig:not-critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert4req ,
" UK " , " libvirt CA 4 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , false , GNUTLS_KEY_DIGITAL_SIGNATURE ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert4req , cacert4req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* no-basic */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert5req ,
" UK " , " libvirt CA 5 " , NULL , NULL , NULL , NULL ,
false , false , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert5req , cacert5req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* Key usage:dig-sig:critical */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacert6req ,
" UK " , " libvirt CA 6 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert6req , cacert6req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-03-04 21:27:38 +04:00
/* Technically a CA cert with basic constraints
* key purpose = = key signing + non - critical should
2013-12-23 12:01:42 +04:00
* be rejected . GNUTLS < 3.1 does not reject it and
2013-03-04 21:27:38 +04:00
* we don ' t anticipate them changing this behaviour
*/
2013-12-23 12:01:42 +04:00
DO_CTX_TEST ( true , cacert4req . filename , servercert4req . filename ,
( GNUTLS_VERSION_MAJOR = = 3 & & GNUTLS_VERSION_MINOR > = 1 ) | |
GNUTLS_VERSION_MAJOR > 3 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacert5req . filename , servercert5req . filename , true ) ;
DO_CTX_TEST ( true , cacert6req . filename , servercert6req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Various good servers */
/* no usage or purpose */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert7req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign+dig-sig+encipher:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert8req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert9req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , false , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:server:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert10req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:server:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert11req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+server:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert12req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+server:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert13req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertreq . filename , servercert7req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert8req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert9req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert10req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert11req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert12req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert13req . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Bad servers */
/* usage:cert-sign:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert14req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert15req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage: none:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( servercert16req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertreq . filename , servercert14req . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert15req . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert16req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Various good clients */
/* no usage or purpose */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign+dig-sig+encipher:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert2req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage:cert-sign:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert3req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , false , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert4req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert5req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert6req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client+client:not-critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert7req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( false , cacertreq . filename , clientcert1req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert2req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert3req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert4req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert5req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert6req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert7req . filename , false ) ;
2011-07-20 22:04:18 +04:00
/* Bad clients */
/* usage:cert-sign:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert8req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* purpose:client:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert9req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
/* usage: none:critical */
2013-08-05 20:08:17 +04:00
TLS_CERT_REQ ( clientcert10req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( false , cacertreq . filename , clientcert8req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert9req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert10req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Expired stuff */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacertexpreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , - 1 ) ;
TLS_CERT_REQ ( servercertexpreq , cacertexpreq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertexp1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , - 1 ) ;
TLS_CERT_REQ ( clientcertexp1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , - 1 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertexpreq . filename , servercertexpreq . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercertexp1req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertexp1req . filename , true ) ;
2011-07-20 22:04:18 +04:00
/* Not activated stuff */
2013-08-05 20:08:17 +04:00
TLS_ROOT_REQ ( cacertnewreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
1 , 2 ) ;
TLS_CERT_REQ ( servercertnewreq , cacertnewreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertnew1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
1 , 2 ) ;
TLS_CERT_REQ ( clientcertnew1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
1 , 2 ) ;
2013-08-06 14:35:49 +04:00
DO_CTX_TEST ( true , cacertnewreq . filename , servercertnewreq . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercertnew1req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertnew1req . filename , true ) ;
2013-08-05 20:08:17 +04:00
2013-08-06 15:31:20 +04:00
TLS_ROOT_REQ ( cacertrootreq ,
" UK " , " libvirt root " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel1areq , cacertrootreq ,
" UK " , " libvirt level 1a " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel1breq , cacertrootreq ,
" UK " , " libvirt level 1b " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel2areq , cacertlevel1areq ,
" UK " , " libvirt level 2a " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertlevel3areq , cacertlevel2areq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( clientcertlevel2breq , cacertlevel1breq ,
" UK " , " libvirt client level 2b " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
gnutls_x509_crt_t certchain [ ] = {
cacertrootreq . crt ,
cacertlevel1areq . crt ,
cacertlevel1breq . crt ,
cacertlevel2areq . crt ,
} ;
2013-08-09 11:53:30 +04:00
testTLSWriteCertChain ( " cacertchain-ctx.pem " ,
2013-08-06 15:31:20 +04:00
certchain ,
2019-10-15 14:55:26 +03:00
G_N_ELEMENTS ( certchain ) ) ;
2013-08-06 15:31:20 +04:00
2013-08-09 11:53:30 +04:00
DO_CTX_TEST ( true , " cacertchain-ctx.pem " , servercertlevel3areq . filename , false ) ;
DO_CTX_TEST ( false , " cacertchain-ctx.pem " , clientcertlevel2breq . filename , false ) ;
2013-08-06 15:31:20 +04:00
2013-08-21 15:48:58 +04:00
DO_CTX_TEST ( false , " cacertdoesnotexist.pem " , " servercertdoesnotexist.pem " , true ) ;
2013-08-05 20:08:17 +04:00
testTLSDiscardCert ( & cacertreq ) ;
testTLSDiscardCert ( & cacert1req ) ;
testTLSDiscardCert ( & cacert2req ) ;
testTLSDiscardCert ( & cacert3req ) ;
testTLSDiscardCert ( & cacert4req ) ;
testTLSDiscardCert ( & cacert5req ) ;
testTLSDiscardCert ( & cacert6req ) ;
testTLSDiscardCert ( & servercertreq ) ;
testTLSDiscardCert ( & servercert1req ) ;
testTLSDiscardCert ( & servercert2req ) ;
testTLSDiscardCert ( & servercert3req ) ;
testTLSDiscardCert ( & servercert4req ) ;
testTLSDiscardCert ( & servercert5req ) ;
testTLSDiscardCert ( & servercert6req ) ;
testTLSDiscardCert ( & servercert7req ) ;
testTLSDiscardCert ( & servercert8req ) ;
testTLSDiscardCert ( & servercert9req ) ;
testTLSDiscardCert ( & servercert10req ) ;
testTLSDiscardCert ( & servercert11req ) ;
testTLSDiscardCert ( & servercert12req ) ;
testTLSDiscardCert ( & servercert13req ) ;
testTLSDiscardCert ( & servercert14req ) ;
testTLSDiscardCert ( & servercert15req ) ;
testTLSDiscardCert ( & servercert16req ) ;
testTLSDiscardCert ( & clientcertreq ) ;
testTLSDiscardCert ( & clientcert1req ) ;
testTLSDiscardCert ( & clientcert2req ) ;
testTLSDiscardCert ( & clientcert3req ) ;
testTLSDiscardCert ( & clientcert4req ) ;
testTLSDiscardCert ( & clientcert5req ) ;
testTLSDiscardCert ( & clientcert6req ) ;
testTLSDiscardCert ( & clientcert7req ) ;
testTLSDiscardCert ( & clientcert8req ) ;
testTLSDiscardCert ( & clientcert9req ) ;
testTLSDiscardCert ( & clientcert10req ) ;
testTLSDiscardCert ( & cacertexpreq ) ;
testTLSDiscardCert ( & servercertexpreq ) ;
testTLSDiscardCert ( & servercertexp1req ) ;
testTLSDiscardCert ( & clientcertexp1req ) ;
testTLSDiscardCert ( & cacertnewreq ) ;
testTLSDiscardCert ( & servercertnewreq ) ;
testTLSDiscardCert ( & servercertnew1req ) ;
testTLSDiscardCert ( & clientcertnew1req ) ;
2011-07-20 22:04:18 +04:00
2013-08-06 15:31:20 +04:00
testTLSDiscardCert ( & cacertrootreq ) ;
testTLSDiscardCert ( & cacertlevel1areq ) ;
testTLSDiscardCert ( & cacertlevel1breq ) ;
testTLSDiscardCert ( & cacertlevel2areq ) ;
testTLSDiscardCert ( & servercertlevel3areq ) ;
testTLSDiscardCert ( & clientcertlevel2breq ) ;
2013-08-09 11:53:30 +04:00
unlink ( " cacertchain-ctx.pem " ) ;
2013-08-06 15:31:20 +04:00
2013-08-09 02:08:25 +04:00
testTLSCleanup ( KEYFILE ) ;
2011-07-20 22:04:18 +04:00
2014-03-17 13:38:38 +04:00
return ret = = 0 ? EXIT_SUCCESS : EXIT_FAILURE ;
2011-07-20 22:04:18 +04:00
}
2019-08-21 19:13:16 +03:00
VIR_TEST_MAIN_PRELOAD ( mymain , VIR_TEST_MOCK ( " virrandom " ) )
2011-07-22 21:59:37 +04:00
2011-07-20 22:04:18 +04:00
# else
2011-07-28 19:48:12 +04:00
2011-07-22 21:59:37 +04:00
int
2011-07-28 19:48:12 +04:00
main ( void )
2011-07-20 22:04:18 +04:00
{
2011-07-28 19:48:12 +04:00
return EXIT_AM_SKIP ;
2011-07-20 22:04:18 +04:00
}
2011-07-28 19:48:12 +04:00
2011-07-20 22:04:18 +04:00
# endif