[thirdparty/qemu.git] / tests / test-io-channel-tls.c

/*
 * QEMU I/O channel TLS test
 *
 * Copyright (C) 2015 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see
 * <http://www.gnu.org/licenses/>.
 *
 * Author: Daniel P. Berrange <berrange@redhat.com>
 */


#include "qemu/osdep.h"

#include "crypto-tls-x509-helpers.h"
#include "io/channel-tls.h"
#include "io/channel-socket.h"
#include "io-channel-helpers.h"
#include "crypto/init.h"
#include "crypto/tlscredsx509.h"
#include "qapi/error.h"
#include "qemu/module.h"
#include "authz/list.h"
#include "qom/object_interfaces.h"

#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT

#define WORKDIR "tests/test-io-channel-tls-work/"
#define KEYFILE WORKDIR "key-ctx.pem"

struct QIOChannelTLSTestData {
    const char *servercacrt;
    const char *clientcacrt;
    const char *servercrt;
    const char *clientcrt;
    bool expectServerFail;
    bool expectClientFail;
    const char *hostname;
    const char *const *wildcards;
};

struct QIOChannelTLSHandshakeData {
    bool finished;
    bool failed;
};

static void test_tls_handshake_done(QIOTask *task,
                                    gpointer opaque)
{
    struct QIOChannelTLSHandshakeData *data = opaque;

    data->finished = true;
    data->failed = qio_task_propagate_error(task, NULL);
}


static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
                                              const char *certdir)
{
    Object *parent = object_get_objects_root();
    Object *creds = object_new_with_props(
        TYPE_QCRYPTO_TLS_CREDS_X509,
        parent,
        (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
         "testtlscredsserver" : "testtlscredsclient"),
        &error_abort,
        "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
                     "server" : "client"),
        "dir", certdir,
        "verify-peer", "yes",
        "priority", "NORMAL",
        /* We skip initial sanity checks here because we
         * want to make sure that problems are being
         * detected at the TLS session validation stage,
         * and the test-crypto-tlscreds test already
         * validate the sanity check code.
         */
        "sanity-check", "no",
        NULL
        );

    return QCRYPTO_TLS_CREDS(creds);
}


/*
 * This tests validation checking of peer certificates
 *
 * This is replicating the checks that are done for an
 * active TLS session after handshake completes. To
 * simulate that we create our TLS contexts, skipping
 * sanity checks. When then get a socketpair, and
 * initiate a TLS session across them. Finally do
 * do actual cert validation tests
 */
static void test_io_channel_tls(const void *opaque)
{
    struct QIOChannelTLSTestData *data =
        (struct QIOChannelTLSTestData *)opaque;
    QCryptoTLSCreds *clientCreds;
    QCryptoTLSCreds *serverCreds;
    QIOChannelTLS *clientChanTLS;
    QIOChannelTLS *serverChanTLS;
    QIOChannelSocket *clientChanSock;
    QIOChannelSocket *serverChanSock;
    QAuthZList *auth;
    const char * const *wildcards;
    int channel[2];
    struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
    struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
    QIOChannelTest *test;
    GMainContext *mainloop;

    /* We'll use this for our fake client-server connection */
    g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);

#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
    mkdir(CLIENT_CERT_DIR, 0700);
    mkdir(SERVER_CERT_DIR, 0700);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    g_assert(link(data->servercacrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->servercrt,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
    g_assert(link(KEYFILE,
                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);

    g_assert(link(data->clientcacrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
    g_assert(link(data->clientcrt,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
    g_assert(link(KEYFILE,
                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);

    clientCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
        CLIENT_CERT_DIR);
    g_assert(clientCreds != NULL);

    serverCreds = test_tls_creds_create(
        QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
        SERVER_CERT_DIR);
    g_assert(serverCreds != NULL);

    auth = qauthz_list_new("channeltlsacl",
                           QAUTHZ_LIST_POLICY_DENY,
                           &error_abort);
    wildcards = data->wildcards;
    while (wildcards && *wildcards) {
        qauthz_list_append_rule(auth, *wildcards,
                                QAUTHZ_LIST_POLICY_ALLOW,
                                QAUTHZ_LIST_FORMAT_GLOB,
                                &error_abort);
        wildcards++;
    }

    clientChanSock = qio_channel_socket_new_fd(
        channel[0], &error_abort);
    g_assert(clientChanSock != NULL);
    serverChanSock = qio_channel_socket_new_fd(
        channel[1], &error_abort);
    g_assert(serverChanSock != NULL);

    /*
     * We have an evil loop to do the handshake in a single
     * thread, so we need these non-blocking to avoid deadlock
     * of ourselves
     */
    qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
    qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);

    /* Now the real part of the test, setup the sessions */
    clientChanTLS = qio_channel_tls_new_client(
        QIO_CHANNEL(clientChanSock), clientCreds,
        data->hostname, &error_abort);
    g_assert(clientChanTLS != NULL);

    serverChanTLS = qio_channel_tls_new_server(
        QIO_CHANNEL(serverChanSock), serverCreds,
        "channeltlsacl", &error_abort);
    g_assert(serverChanTLS != NULL);

    qio_channel_tls_handshake(clientChanTLS,
                              test_tls_handshake_done,
                              &clientHandshake,
                              NULL,
                              NULL);
    qio_channel_tls_handshake(serverChanTLS,
                              test_tls_handshake_done,
                              &serverHandshake,
                              NULL,
                              NULL);

    /*
     * Finally we loop around & around doing handshake on each
     * session until we get an error, or the handshake completes.
     * This relies on the socketpair being nonblocking to avoid
     * deadlocking ourselves upon handshake
     */
    mainloop = g_main_context_default();
    do {
        g_main_context_iteration(mainloop, TRUE);
    } while (!clientHandshake.finished ||
             !serverHandshake.finished);

    g_assert(clientHandshake.failed == data->expectClientFail);
    g_assert(serverHandshake.failed == data->expectServerFail);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, false,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    test = qio_channel_test_new();
    qio_channel_test_run_threads(test, true,
                                 QIO_CHANNEL(clientChanTLS),
                                 QIO_CHANNEL(serverChanTLS));
    qio_channel_test_validate(test);

    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);

    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);

    rmdir(CLIENT_CERT_DIR);
    rmdir(SERVER_CERT_DIR);

    object_unparent(OBJECT(serverCreds));
    object_unparent(OBJECT(clientCreds));

    object_unref(OBJECT(serverChanTLS));
    object_unref(OBJECT(clientChanTLS));

    object_unref(OBJECT(serverChanSock));
    object_unref(OBJECT(clientChanSock));

    object_unparent(OBJECT(auth));

    close(channel[0]);
    close(channel[1]);
}


int main(int argc, char **argv)
{
    int ret;

    g_assert(qcrypto_init(NULL) == 0);

    module_call_init(MODULE_INIT_QOM);
    g_test_init(&argc, &argv, NULL);
    setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);

    mkdir(WORKDIR, 0700);

    test_tls_init(KEYFILE);

# define TEST_CHANNEL(name, caCrt,                                      \
                      serverCrt, clientCrt,                             \
                      expectServerFail, expectClientFail,               \
                      hostname, wildcards)                              \
    struct QIOChannelTLSTestData name = {                               \
        caCrt, caCrt, serverCrt, clientCrt,                             \
        expectServerFail, expectClientFail,                             \
        hostname, wildcards                                             \
    };                                                                  \
    g_test_add_data_func("/qio/channel/tls/" # name,                    \
                         &name, test_io_channel_tls);

    /* A perfect CA, perfect client & perfect server */

    /* Basic:CA:critical */
    TLS_ROOT_REQ(cacertreq,
                 "UK", "qemu CA", NULL, NULL, NULL, NULL,
                 true, true, true,
                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
                 false, false, NULL, NULL,
                 0, 0);
    TLS_CERT_REQ(servercertreq, cacertreq,
                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
                 0, 0);
    TLS_CERT_REQ(clientcertreq, cacertreq,
                 "UK", "qemu", NULL, NULL, NULL, NULL,
                 true, true, false,
                 true, true,
                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
                 0, 0);

    const char *const wildcards[] = {
        "C=UK,CN=qemu*",
        NULL,
    };
    TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
                 clientcertreq.filename, false, false,
                 "qemu.org", wildcards);

    ret = g_test_run();

    test_tls_discard_cert(&clientcertreq);
    test_tls_discard_cert(&servercertreq);
    test_tls_discard_cert(&cacertreq);

    test_tls_cleanup(KEYFILE);
    rmdir(WORKDIR);

    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}

#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */

int
main(void)
{
    return EXIT_SUCCESS;
}

#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
Commit	Line	Data
ed8ee42c DB	1	/*
	2	* QEMU I/O channel TLS test
	3	*
	4	* Copyright (C) 2015 Red Hat, Inc.
	5	*
	6	* This library is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU Lesser General Public
	8	* License as published by the Free Software Foundation; either
	9	* version 2.1 of the License, or (at your option) any later version.
	10	*
	11	* This library is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* Lesser General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU Lesser General Public
	17	* License along with this library. If not, see
	18	* <http://www.gnu.org/licenses/>.
	19	*
	20	* Author: Daniel P. Berrange <berrange@redhat.com>
	21	*/
	22
	23
681c28a3	24	#include "qemu/osdep.h"
ed8ee42c	25
ed8ee42c DB	26	#include "crypto-tls-x509-helpers.h"
	27	#include "io/channel-tls.h"
	28	#include "io/channel-socket.h"
	29	#include "io-channel-helpers.h"
d26d6b5d	30	#include "crypto/init.h"
ed8ee42c	31	#include "crypto/tlscredsx509.h"
68db1318	32	#include "qapi/error.h"
0b8fa32f	33	#include "qemu/module.h"
b76806d4	34	#include "authz/list.h"
ed8ee42c DB	35	#include "qom/object_interfaces.h"
	36
	37	#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
	38
	39	#define WORKDIR "tests/test-io-channel-tls-work/"
	40	#define KEYFILE WORKDIR "key-ctx.pem"
	41
	42	struct QIOChannelTLSTestData {
	43	const char *servercacrt;
	44	const char *clientcacrt;
	45	const char *servercrt;
	46	const char *clientcrt;
	47	bool expectServerFail;
	48	bool expectClientFail;
	49	const char *hostname;
	50	const char const wildcards;
	51	};
	52
	53	struct QIOChannelTLSHandshakeData {
	54	bool finished;
	55	bool failed;
	56	};
	57
60e705c5	58	static void test_tls_handshake_done(QIOTask *task,
ed8ee42c DB	59	gpointer opaque)
	60	{
	61	struct QIOChannelTLSHandshakeData *data = opaque;
	62
	63	data->finished = true;
60e705c5	64	data->failed = qio_task_propagate_error(task, NULL);
ed8ee42c DB	65	}
	66
	67
	68	static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
68db1318	69	const char *certdir)
ed8ee42c DB	70	{
	71	Object *parent = object_get_objects_root();
	72	Object *creds = object_new_with_props(
	73	TYPE_QCRYPTO_TLS_CREDS_X509,
	74	parent,
	75	(endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	76	"testtlscredsserver" : "testtlscredsclient"),
68db1318	77	&error_abort,
ed8ee42c DB	78	"endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
	79	"server" : "client"),
	80	"dir", certdir,
	81	"verify-peer", "yes",
057ad0b4	82	"priority", "NORMAL",
ed8ee42c DB	83	/* We skip initial sanity checks here because we
	84	* want to make sure that problems are being
	85	* detected at the TLS session validation stage,
	86	* and the test-crypto-tlscreds test already
	87	* validate the sanity check code.
	88	*/
	89	"sanity-check", "no",
	90	NULL
	91	);
	92
ed8ee42c DB	93	return QCRYPTO_TLS_CREDS(creds);
	94	}
	95
	96
	97	/*
	98	* This tests validation checking of peer certificates
	99	*
	100	* This is replicating the checks that are done for an
	101	* active TLS session after handshake completes. To
	102	* simulate that we create our TLS contexts, skipping
	103	* sanity checks. When then get a socketpair, and
	104	* initiate a TLS session across them. Finally do
	105	* do actual cert validation tests
	106	*/
	107	static void test_io_channel_tls(const void *opaque)
	108	{
	109	struct QIOChannelTLSTestData *data =
	110	(struct QIOChannelTLSTestData *)opaque;
	111	QCryptoTLSCreds *clientCreds;
	112	QCryptoTLSCreds *serverCreds;
	113	QIOChannelTLS *clientChanTLS;
	114	QIOChannelTLS *serverChanTLS;
	115	QIOChannelSocket *clientChanSock;
	116	QIOChannelSocket *serverChanSock;
b76806d4	117	QAuthZList *auth;
ed8ee42c DB	118	const char * const *wildcards;
	119	int channel[2];
	120	struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
	121	struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
ed8ee42c DB	122	QIOChannelTest *test;
	123	GMainContext *mainloop;
	124
	125	/* We'll use this for our fake client-server connection */
	126	g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
	127
d4adf967 DB	128	#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
d4adf967 DB	129	#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
ed8ee42c DB	130	mkdir(CLIENT_CERT_DIR, 0700);
	131	mkdir(SERVER_CERT_DIR, 0700);
	132
	133	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	134	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
	135	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
	136
	137	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	138	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
	139	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
	140
	141	g_assert(link(data->servercacrt,
	142	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
	143	g_assert(link(data->servercrt,
	144	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
	145	g_assert(link(KEYFILE,
	146	SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
	147
	148	g_assert(link(data->clientcacrt,
	149	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
	150	g_assert(link(data->clientcrt,
	151	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
	152	g_assert(link(KEYFILE,
	153	CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
	154
	155	clientCreds = test_tls_creds_create(
	156	QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
68db1318	157	CLIENT_CERT_DIR);
ed8ee42c DB	158	g_assert(clientCreds != NULL);
	159
	160	serverCreds = test_tls_creds_create(
	161	QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
68db1318	162	SERVER_CERT_DIR);
ed8ee42c DB	163	g_assert(serverCreds != NULL);
ed8ee42c DB	164
b76806d4 DB	165	auth = qauthz_list_new("channeltlsacl",
	166	QAUTHZ_LIST_POLICY_DENY,
	167	&error_abort);
ed8ee42c DB	168	wildcards = data->wildcards;
ed8ee42c DB	169	while (wildcards && *wildcards) {
b76806d4 DB	170	qauthz_list_append_rule(auth, *wildcards,
	171	QAUTHZ_LIST_POLICY_ALLOW,
	172	QAUTHZ_LIST_FORMAT_GLOB,
	173	&error_abort);
ed8ee42c DB	174	wildcards++;
	175	}
	176
	177	clientChanSock = qio_channel_socket_new_fd(
68db1318	178	channel[0], &error_abort);
ed8ee42c DB	179	g_assert(clientChanSock != NULL);
ed8ee42c DB	180	serverChanSock = qio_channel_socket_new_fd(
68db1318	181	channel[1], &error_abort);
ed8ee42c DB	182	g_assert(serverChanSock != NULL);
	183
	184	/*
	185	* We have an evil loop to do the handshake in a single
	186	* thread, so we need these non-blocking to avoid deadlock
	187	* of ourselves
	188	*/
	189	qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
	190	qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
	191
	192	/* Now the real part of the test, setup the sessions */
	193	clientChanTLS = qio_channel_tls_new_client(
	194	QIO_CHANNEL(clientChanSock), clientCreds,
68db1318	195	data->hostname, &error_abort);
ed8ee42c DB	196	g_assert(clientChanTLS != NULL);
	197
	198	serverChanTLS = qio_channel_tls_new_server(
	199	QIO_CHANNEL(serverChanSock), serverCreds,
68db1318	200	"channeltlsacl", &error_abort);
ed8ee42c DB	201	g_assert(serverChanTLS != NULL);
	202
	203	qio_channel_tls_handshake(clientChanTLS,
	204	test_tls_handshake_done,
	205	&clientHandshake,
1939ccda	206	NULL,
ed8ee42c DB	207	NULL);
	208	qio_channel_tls_handshake(serverChanTLS,
	209	test_tls_handshake_done,
	210	&serverHandshake,
1939ccda	211	NULL,
ed8ee42c DB	212	NULL);
	213
	214	/*
	215	* Finally we loop around & around doing handshake on each
	216	* session until we get an error, or the handshake completes.
	217	* This relies on the socketpair being nonblocking to avoid
	218	* deadlocking ourselves upon handshake
	219	*/
	220	mainloop = g_main_context_default();
	221	do {
	222	g_main_context_iteration(mainloop, TRUE);
689ed13e	223	} while (!clientHandshake.finished \|\|
ed8ee42c DB	224	!serverHandshake.finished);
	225
	226	g_assert(clientHandshake.failed == data->expectClientFail);
	227	g_assert(serverHandshake.failed == data->expectServerFail);
	228
	229	test = qio_channel_test_new();
	230	qio_channel_test_run_threads(test, false,
	231	QIO_CHANNEL(clientChanTLS),
	232	QIO_CHANNEL(serverChanTLS));
	233	qio_channel_test_validate(test);
	234
	235	test = qio_channel_test_new();
	236	qio_channel_test_run_threads(test, true,
	237	QIO_CHANNEL(clientChanTLS),
	238	QIO_CHANNEL(serverChanTLS));
	239	qio_channel_test_validate(test);
	240
	241	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	242	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
	243	unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
	244
	245	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
	246	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
	247	unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
	248
	249	rmdir(CLIENT_CERT_DIR);
	250	rmdir(SERVER_CERT_DIR);
	251
	252	object_unparent(OBJECT(serverCreds));
	253	object_unparent(OBJECT(clientCreds));
	254
	255	object_unref(OBJECT(serverChanTLS));
	256	object_unref(OBJECT(clientChanTLS));
	257
	258	object_unref(OBJECT(serverChanSock));
	259	object_unref(OBJECT(clientChanSock));
	260
b76806d4 DB	261	object_unparent(OBJECT(auth));
b76806d4 DB	262
ed8ee42c DB	263	close(channel[0]);
	264	close(channel[1]);
	265	}
	266
	267
	268	int main(int argc, char **argv)
	269	{
	270	int ret;
	271
d26d6b5d DB	272	g_assert(qcrypto_init(NULL) == 0);
d26d6b5d DB	273
ed8ee42c DB	274	module_call_init(MODULE_INIT_QOM);
	275	g_test_init(&argc, &argv, NULL);
	276	setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
	277
	278	mkdir(WORKDIR, 0700);
	279
	280	test_tls_init(KEYFILE);
	281
	282	# define TEST_CHANNEL(name, caCrt, \
	283	serverCrt, clientCrt, \
	284	expectServerFail, expectClientFail, \
	285	hostname, wildcards) \
	286	struct QIOChannelTLSTestData name = { \
	287	caCrt, caCrt, serverCrt, clientCrt, \
	288	expectServerFail, expectClientFail, \
	289	hostname, wildcards \
	290	}; \
	291	g_test_add_data_func("/qio/channel/tls/" # name, \
	292	&name, test_io_channel_tls);
	293
	294	/* A perfect CA, perfect client & perfect server */
	295
	296	/* Basic:CA:critical */
	297	TLS_ROOT_REQ(cacertreq,
	298	"UK", "qemu CA", NULL, NULL, NULL, NULL,
	299	true, true, true,
	300	true, true, GNUTLS_KEY_KEY_CERT_SIGN,
	301	false, false, NULL, NULL,
	302	0, 0);
	303	TLS_CERT_REQ(servercertreq, cacertreq,
	304	"UK", "qemu.org", NULL, NULL, NULL, NULL,
	305	true, true, false,
	306	true, true,
	307	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	308	true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
	309	0, 0);
	310	TLS_CERT_REQ(clientcertreq, cacertreq,
	311	"UK", "qemu", NULL, NULL, NULL, NULL,
	312	true, true, false,
	313	true, true,
	314	GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT,
	315	true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
	316	0, 0);
	317
	318	const char *const wildcards[] = {
	319	"C=UK,CN=qemu*",
	320	NULL,
	321	};
	322	TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
	323	clientcertreq.filename, false, false,
	324	"qemu.org", wildcards);
	325
	326	ret = g_test_run();
	327
	328	test_tls_discard_cert(&clientcertreq);
	329	test_tls_discard_cert(&servercertreq);
	330	test_tls_discard_cert(&cacertreq);
	331
	332	test_tls_cleanup(KEYFILE);
	333	rmdir(WORKDIR);
	334
	335	return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
	336	}
	337
338	#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
339
340	int
341	main(void)
342	{
343	return EXIT_SUCCESS;
344	}
345
346	#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */