2011-07-20 18:04:18 +00:00
|
|
|
/*
|
2012-01-30 17:44:13 +00:00
|
|
|
* Copyright (C) 2011-2012 Red Hat, Inc.
|
2011-07-20 18:04:18 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2011-07-20 18:04:18 +00:00
|
|
|
*
|
|
|
|
* Author: Daniel P. Berrange <berrange@redhat.com>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
|
|
|
#include "testutils.h"
|
2013-08-05 15:49:24 +00:00
|
|
|
#include "virnettlshelpers.h"
|
2012-12-13 17:44:57 +00:00
|
|
|
#include "virutil.h"
|
2012-12-13 18:21:53 +00:00
|
|
|
#include "virerror.h"
|
2012-12-12 18:06:53 +00:00
|
|
|
#include "viralloc.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2011-07-20 18:04:18 +00:00
|
|
|
#include "virfile.h"
|
2012-12-12 16:27:01 +00:00
|
|
|
#include "vircommand.h"
|
Split src/util/network.{c,h} into 5 pieces
The src/util/network.c file is a dumping ground for many different
APIs. Split it up into 5 pieces, along functional lines
- src/util/virnetdevbandwidth.c: virNetDevBandwidth type & helper APIs
- src/util/virnetdevvportprofile.c: virNetDevVPortProfile type & helper APIs
- src/util/virsocketaddr.c: virSocketAddr and APIs
- src/conf/netdev_bandwidth_conf.c: XML parsing / formatting
for virNetDevBandwidth
- src/conf/netdev_vport_profile_conf.c: XML parsing / formatting
for virNetDevVPortProfile
* src/util/network.c, src/util/network.h: Split into 5 pieces
* src/conf/netdev_bandwidth_conf.c, src/conf/netdev_bandwidth_conf.h,
src/conf/netdev_vport_profile_conf.c, src/conf/netdev_vport_profile_conf.h,
src/util/virnetdevbandwidth.c, src/util/virnetdevbandwidth.h,
src/util/virnetdevvportprofile.c, src/util/virnetdevvportprofile.h,
src/util/virsocketaddr.c, src/util/virsocketaddr.h: New pieces
* daemon/libvirtd.h, daemon/remote.c, src/conf/domain_conf.c,
src/conf/domain_conf.h, src/conf/network_conf.c,
src/conf/network_conf.h, src/conf/nwfilter_conf.h,
src/esx/esx_util.h, src/network/bridge_driver.c,
src/qemu/qemu_conf.c, src/rpc/virnetsocket.c,
src/rpc/virnetsocket.h, src/util/dnsmasq.h, src/util/interface.h,
src/util/iptables.h, src/util/macvtap.c, src/util/macvtap.h,
src/util/virnetdev.h, src/util/virnetdevtap.c,
tools/virsh.c: Update include files
2011-11-02 15:40:08 +00:00
|
|
|
#include "virsocketaddr.h"
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2012-01-30 17:44:13 +00:00
|
|
|
#if !defined WIN32 && HAVE_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600
|
2011-07-20 18:04:18 +00:00
|
|
|
|
|
|
|
# include "rpc/virnettlscontext.h"
|
|
|
|
|
|
|
|
# define VIR_FROM_THIS VIR_FROM_RPC
|
|
|
|
|
2013-08-08 22:08:25 +00:00
|
|
|
# define KEYFILE "key-ctx.pem"
|
|
|
|
|
2011-07-20 18:04:18 +00:00
|
|
|
struct testTLSContextData {
|
|
|
|
bool isServer;
|
2013-08-06 10:35:49 +00:00
|
|
|
const char *cacrt;
|
|
|
|
const char *crt;
|
2011-07-20 18:04:18 +00:00
|
|
|
bool expectFail;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This tests sanity checking of our own certificates
|
|
|
|
*
|
|
|
|
* This code is done when libvirtd starts up, or before
|
|
|
|
* a libvirt client connects. The test is ensuring that
|
|
|
|
* the creation of virNetTLSContextPtr fails if we
|
2012-10-11 16:31:20 +00:00
|
|
|
* give bogus certs, or succeeds for good certs
|
2011-07-20 18:04:18 +00:00
|
|
|
*/
|
|
|
|
static int testTLSContextInit(const void *opaque)
|
|
|
|
{
|
|
|
|
struct testTLSContextData *data = (struct testTLSContextData *)opaque;
|
|
|
|
virNetTLSContextPtr ctxt = NULL;
|
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
if (data->isServer) {
|
2013-08-06 10:35:49 +00:00
|
|
|
ctxt = virNetTLSContextNewServer(data->cacrt,
|
2011-07-20 18:04:18 +00:00
|
|
|
NULL,
|
2013-08-06 10:35:49 +00:00
|
|
|
data->crt,
|
2013-08-08 22:08:25 +00:00
|
|
|
KEYFILE,
|
2011-07-20 18:04:18 +00:00
|
|
|
NULL,
|
|
|
|
true,
|
|
|
|
true);
|
|
|
|
} else {
|
2013-08-06 10:35:49 +00:00
|
|
|
ctxt = virNetTLSContextNewClient(data->cacrt,
|
2011-07-20 18:04:18 +00:00
|
|
|
NULL,
|
2013-08-06 10:35:49 +00:00
|
|
|
data->crt,
|
2013-08-08 22:08:25 +00:00
|
|
|
KEYFILE,
|
2011-07-20 18:04:18 +00:00
|
|
|
true,
|
|
|
|
true);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ctxt) {
|
|
|
|
if (data->expectFail) {
|
|
|
|
VIR_WARN("Expected failure %s against %s",
|
2013-08-06 10:35:49 +00:00
|
|
|
data->cacrt, data->crt);
|
2011-07-20 18:04:18 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
virErrorPtr err = virGetLastError();
|
|
|
|
if (!data->expectFail) {
|
|
|
|
VIR_WARN("Unexpected failure %s against %s",
|
2013-08-06 10:35:49 +00:00
|
|
|
data->cacrt, data->crt);
|
2011-07-20 18:04:18 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
VIR_DEBUG("Got error %s", err ? err->message : "<unknown>");
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
cleanup:
|
2012-07-11 13:35:48 +00:00
|
|
|
virObjectUnref(ctxt);
|
2011-07-20 18:04:18 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
mymain(void)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
|
2013-08-08 22:08:25 +00:00
|
|
|
testTLSInit(KEYFILE);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
# define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \
|
2011-07-20 18:04:18 +00:00
|
|
|
do { \
|
test: fix build errors with gcc 4.7.0 and -O0
When building on Fedora 17 (which uses gcc 4.7.0) with -O0 in CFLAGS,
three of the tests failed to compile.
cputest.c and qemuxml2argvtest.c had non-static structs defined
inside the macro that was being repeatedly invoked. Due to some so-far
unidentified change in gcc, the stack space used by variables defined
inside { } is not recovered/re-used when the block ends, so all these
structs have become additive (this is the same problem worked around
in commit cf57d345b). Fortunately, these two files could be fixed with
a single line addition of "static" to the struct definition in the
macro.
virnettlscontexttest.c was a bit different, though. The problem structs
in the do/while loop of macros had non-constant initializers, so it
took a bit more work and piecemeal initialization instead of member
initialization to get things to be happy.
In an ideal world, none of these changes should be necessary, but not
knowing how long it will be until the gcc regressions are fixed, and
since the code is just as correct after this patch as before, it makes
sense to fix libvirt's build for -O0 while also reporting the gcc
problem.
2012-04-05 20:31:36 +00:00
|
|
|
static struct testTLSContextData data; \
|
|
|
|
data.isServer = _isServer; \
|
2013-08-06 10:35:49 +00:00
|
|
|
data.cacrt = _caCrt; \
|
|
|
|
data.crt = _crt; \
|
test: fix build errors with gcc 4.7.0 and -O0
When building on Fedora 17 (which uses gcc 4.7.0) with -O0 in CFLAGS,
three of the tests failed to compile.
cputest.c and qemuxml2argvtest.c had non-static structs defined
inside the macro that was being repeatedly invoked. Due to some so-far
unidentified change in gcc, the stack space used by variables defined
inside { } is not recovered/re-used when the block ends, so all these
structs have become additive (this is the same problem worked around
in commit cf57d345b). Fortunately, these two files could be fixed with
a single line addition of "static" to the struct definition in the
macro.
virnettlscontexttest.c was a bit different, though. The problem structs
in the do/while loop of macros had non-constant initializers, so it
took a bit more work and piecemeal initialization instead of member
initialization to get things to be happy.
In an ideal world, none of these changes should be necessary, but not
knowing how long it will be until the gcc regressions are fixed, and
since the code is just as correct after this patch as before, it makes
sense to fix libvirt's build for -O0 while also reporting the gcc
problem.
2012-04-05 20:31:36 +00:00
|
|
|
data.expectFail = _expectFail; \
|
2013-08-06 10:35:49 +00:00
|
|
|
if (virtTestRun("TLS Context " #_caCrt " + " #_crt, 1, \
|
2013-08-05 16:08:17 +00:00
|
|
|
testTLSContextInit, &data) < 0) \
|
2011-07-20 18:04:18 +00:00
|
|
|
ret = -1; \
|
|
|
|
} while (0)
|
|
|
|
|
2013-08-05 16:08:17 +00:00
|
|
|
# define TLS_CERT_REQ(varname, cavarname, \
|
|
|
|
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
|
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
|
|
|
|
static struct testTLSCertReq varname = { \
|
2013-08-06 10:35:49 +00:00
|
|
|
NULL, #varname "-ctx.pem", \
|
2013-08-05 16:08:17 +00:00
|
|
|
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
|
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
|
|
|
|
}; \
|
|
|
|
testTLSGenerateCert(&varname, cavarname.crt)
|
|
|
|
|
|
|
|
# define TLS_ROOT_REQ(varname, \
|
|
|
|
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
|
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
|
|
|
|
static struct testTLSCertReq varname = { \
|
2013-08-06 10:35:49 +00:00
|
|
|
NULL, #varname "-ctx.pem", \
|
2013-08-05 16:08:17 +00:00
|
|
|
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
|
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
|
|
|
|
}; \
|
|
|
|
testTLSGenerateCert(&varname, NULL)
|
|
|
|
|
|
|
|
|
2011-07-20 18:04:18 +00:00
|
|
|
/* A perfect CA, perfect client & perfect server */
|
|
|
|
|
|
|
|
/* Basic:CA:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacertreq,
|
|
|
|
"UK", "libvirt CA", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
TLS_CERT_REQ(servercertreq, cacertreq,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(clientcertreq, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercertreq.filename, false);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcertreq.filename, false);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
|
|
|
|
|
|
|
/* Some other CAs which are good */
|
|
|
|
|
|
|
|
/* Basic:CA:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacert1req,
|
|
|
|
"UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
false, false, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercert1req, cacert1req,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
2011-07-20 18:04:18 +00:00
|
|
|
/* Basic:CA:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacert2req,
|
|
|
|
"UK", "libvirt CA 2", NULL, NULL, NULL, NULL,
|
|
|
|
true, false, true,
|
|
|
|
false, false, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercert2req, cacert2req,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
2013-08-05 15:49:24 +00:00
|
|
|
/* Key usage:cert-sign:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacert3req,
|
|
|
|
"UK", "libvirt CA 3", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercert3req, cacert3req,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(true, cacert1req.filename, servercert1req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacert2req.filename, servercert2req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacert3req.filename, servercert3req.filename, false);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
|
|
|
/* Now some bad certs */
|
|
|
|
|
2013-03-04 17:27:38 +00:00
|
|
|
/* Key usage:dig-sig:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacert4req,
|
|
|
|
"UK", "libvirt CA 4", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercert4req, cacert4req,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* no-basic */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacert5req,
|
|
|
|
"UK", "libvirt CA 5", NULL, NULL, NULL, NULL,
|
|
|
|
false, false, false,
|
|
|
|
false, false, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercert5req, cacert5req,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* Key usage:dig-sig:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacert6req,
|
|
|
|
"UK", "libvirt CA 6", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercert6req, cacert6req,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2013-03-04 17:27:38 +00:00
|
|
|
/* Technically a CA cert with basic constraints
|
|
|
|
* key purpose == key signing + non-critical should
|
|
|
|
* be rejected. GNUTLS < 3 does not reject it and
|
|
|
|
* we don't anticipate them changing this behaviour
|
|
|
|
*/
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename, GNUTLS_VERSION_MAJOR >= 3);
|
|
|
|
DO_CTX_TEST(true, cacert5req.filename, servercert5req.filename, true);
|
|
|
|
DO_CTX_TEST(true, cacert6req.filename, servercert6req.filename, true);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
|
|
|
|
|
|
|
/* Various good servers */
|
|
|
|
/* no usage or purpose */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert7req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* usage:cert-sign+dig-sig+encipher:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert8req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* usage:cert-sign:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert9req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, false, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:server:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert10req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:server:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert11req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client+server:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert12req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client+server:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert13req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
|
0, 0);
|
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert7req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert8req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert9req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert10req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert11req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert12req.filename, false);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert13req.filename, false);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* Bad servers */
|
|
|
|
|
|
|
|
/* usage:cert-sign:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert14req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert15req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* usage: none:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(servercert16req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert14req.filename, true);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert15req.filename, true);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercert16req.filename, true);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Various good clients */
|
|
|
|
/* no usage or purpose */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert1req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* usage:cert-sign+dig-sig+encipher:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert2req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* usage:cert-sign:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert3req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, false, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert4req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert5req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client+client:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert6req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client+client:not-critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert7req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert1req.filename, false);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert2req.filename, false);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert3req.filename, false);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert4req.filename, false);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert5req.filename, false);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert6req.filename, false);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert7req.filename, false);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* Bad clients */
|
|
|
|
|
|
|
|
/* usage:cert-sign:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert8req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* purpose:client:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert9req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
false, false, 0,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
/* usage: none:critical */
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_CERT_REQ(clientcert10req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert8req.filename, true);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert9req.filename, true);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcert10req.filename, true);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Expired stuff */
|
|
|
|
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacertexpreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, -1);
|
|
|
|
TLS_CERT_REQ(servercertexpreq, cacertexpreq,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercertexp1req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, -1);
|
|
|
|
TLS_CERT_REQ(clientcertexp1req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, -1);
|
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(true, cacertexpreq.filename, servercertexpreq.filename, true);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercertexp1req.filename, true);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcertexp1req.filename, true);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
|
|
|
|
|
|
|
/* Not activated stuff */
|
|
|
|
|
2013-08-05 16:08:17 +00:00
|
|
|
TLS_ROOT_REQ(cacertnewreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
1, 2);
|
|
|
|
TLS_CERT_REQ(servercertnewreq, cacertnewreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercertnew1req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
1, 2);
|
|
|
|
TLS_CERT_REQ(clientcertnew1req, cacertreq,
|
|
|
|
"UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
1, 2);
|
|
|
|
|
2013-08-06 10:35:49 +00:00
|
|
|
DO_CTX_TEST(true, cacertnewreq.filename, servercertnewreq.filename, true);
|
|
|
|
DO_CTX_TEST(true, cacertreq.filename, servercertnew1req.filename, true);
|
|
|
|
DO_CTX_TEST(false, cacertreq.filename, clientcertnew1req.filename, true);
|
2013-08-05 16:08:17 +00:00
|
|
|
|
2013-08-06 11:31:20 +00:00
|
|
|
TLS_ROOT_REQ(cacertrootreq,
|
|
|
|
"UK", "libvirt root", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
|
|
|
|
"UK", "libvirt level 1a", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
|
|
|
|
"UK", "libvirt level 1b", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
|
|
|
|
"UK", "libvirt level 2a", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
|
|
|
|
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
|
|
|
|
"UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
gnutls_x509_crt_t certchain[] = {
|
|
|
|
cacertrootreq.crt,
|
|
|
|
cacertlevel1areq.crt,
|
|
|
|
cacertlevel1breq.crt,
|
|
|
|
cacertlevel2areq.crt,
|
|
|
|
};
|
|
|
|
|
2013-08-09 07:53:30 +00:00
|
|
|
testTLSWriteCertChain("cacertchain-ctx.pem",
|
2013-08-06 11:31:20 +00:00
|
|
|
certchain,
|
|
|
|
ARRAY_CARDINALITY(certchain));
|
|
|
|
|
2013-08-09 07:53:30 +00:00
|
|
|
DO_CTX_TEST(true, "cacertchain-ctx.pem", servercertlevel3areq.filename, false);
|
|
|
|
DO_CTX_TEST(false, "cacertchain-ctx.pem", clientcertlevel2breq.filename, false);
|
2013-08-06 11:31:20 +00:00
|
|
|
|
2013-08-21 11:48:58 +00:00
|
|
|
DO_CTX_TEST(false, "cacertdoesnotexist.pem", "servercertdoesnotexist.pem", true);
|
|
|
|
|
2013-08-05 16:08:17 +00:00
|
|
|
testTLSDiscardCert(&cacertreq);
|
|
|
|
testTLSDiscardCert(&cacert1req);
|
|
|
|
testTLSDiscardCert(&cacert2req);
|
|
|
|
testTLSDiscardCert(&cacert3req);
|
|
|
|
testTLSDiscardCert(&cacert4req);
|
|
|
|
testTLSDiscardCert(&cacert5req);
|
|
|
|
testTLSDiscardCert(&cacert6req);
|
|
|
|
|
|
|
|
testTLSDiscardCert(&servercertreq);
|
|
|
|
testTLSDiscardCert(&servercert1req);
|
|
|
|
testTLSDiscardCert(&servercert2req);
|
|
|
|
testTLSDiscardCert(&servercert3req);
|
|
|
|
testTLSDiscardCert(&servercert4req);
|
|
|
|
testTLSDiscardCert(&servercert5req);
|
|
|
|
testTLSDiscardCert(&servercert6req);
|
|
|
|
testTLSDiscardCert(&servercert7req);
|
|
|
|
testTLSDiscardCert(&servercert8req);
|
|
|
|
testTLSDiscardCert(&servercert9req);
|
|
|
|
testTLSDiscardCert(&servercert10req);
|
|
|
|
testTLSDiscardCert(&servercert11req);
|
|
|
|
testTLSDiscardCert(&servercert12req);
|
|
|
|
testTLSDiscardCert(&servercert13req);
|
|
|
|
testTLSDiscardCert(&servercert14req);
|
|
|
|
testTLSDiscardCert(&servercert15req);
|
|
|
|
testTLSDiscardCert(&servercert16req);
|
|
|
|
|
|
|
|
testTLSDiscardCert(&clientcertreq);
|
|
|
|
testTLSDiscardCert(&clientcert1req);
|
|
|
|
testTLSDiscardCert(&clientcert2req);
|
|
|
|
testTLSDiscardCert(&clientcert3req);
|
|
|
|
testTLSDiscardCert(&clientcert4req);
|
|
|
|
testTLSDiscardCert(&clientcert5req);
|
|
|
|
testTLSDiscardCert(&clientcert6req);
|
|
|
|
testTLSDiscardCert(&clientcert7req);
|
|
|
|
testTLSDiscardCert(&clientcert8req);
|
|
|
|
testTLSDiscardCert(&clientcert9req);
|
|
|
|
testTLSDiscardCert(&clientcert10req);
|
|
|
|
|
|
|
|
testTLSDiscardCert(&cacertexpreq);
|
|
|
|
testTLSDiscardCert(&servercertexpreq);
|
|
|
|
testTLSDiscardCert(&servercertexp1req);
|
|
|
|
testTLSDiscardCert(&clientcertexp1req);
|
|
|
|
|
|
|
|
testTLSDiscardCert(&cacertnewreq);
|
|
|
|
testTLSDiscardCert(&servercertnewreq);
|
|
|
|
testTLSDiscardCert(&servercertnew1req);
|
|
|
|
testTLSDiscardCert(&clientcertnew1req);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2013-08-06 11:31:20 +00:00
|
|
|
testTLSDiscardCert(&cacertrootreq);
|
|
|
|
testTLSDiscardCert(&cacertlevel1areq);
|
|
|
|
testTLSDiscardCert(&cacertlevel1breq);
|
|
|
|
testTLSDiscardCert(&cacertlevel2areq);
|
|
|
|
testTLSDiscardCert(&servercertlevel3areq);
|
|
|
|
testTLSDiscardCert(&clientcertlevel2breq);
|
2013-08-09 07:53:30 +00:00
|
|
|
unlink("cacertchain-ctx.pem");
|
2013-08-06 11:31:20 +00:00
|
|
|
|
2013-08-08 22:08:25 +00:00
|
|
|
testTLSCleanup(KEYFILE);
|
2011-07-20 18:04:18 +00:00
|
|
|
|
2012-03-22 11:33:35 +00:00
|
|
|
return ret==0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
2011-07-20 18:04:18 +00:00
|
|
|
}
|
|
|
|
|
2011-07-22 17:59:37 +00:00
|
|
|
VIRT_TEST_MAIN(mymain)
|
|
|
|
|
2011-07-20 18:04:18 +00:00
|
|
|
#else
|
2011-07-28 15:48:12 +00:00
|
|
|
|
2011-07-22 17:59:37 +00:00
|
|
|
int
|
2011-07-28 15:48:12 +00:00
|
|
|
main(void)
|
2011-07-20 18:04:18 +00:00
|
|
|
{
|
2011-07-28 15:48:12 +00:00
|
|
|
return EXIT_AM_SKIP;
|
2011-07-20 18:04:18 +00:00
|
|
|
}
|
2011-07-28 15:48:12 +00:00
|
|
|
|
2011-07-20 18:04:18 +00:00
|
|
|
#endif
|