Commit Graph

36 Commits

Author SHA1 Message Date
Cédric Bosdonnat
78af457eef virnettlscontexttest fails with GNUTLS 3.0.28
On openSUSE 12.x with GNUTLS 3.0.28, virnettlscontexttest fails. It has
been reported to work from GNUTLS 3.1.11 on Fedora 19. Changed the
constraints on gnutls to 3.1+ for unit test cacert4req.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-23 13:16:07 -07:00
Daniel P. Berrange
eee6eb666c Remove test case average timing
The test case average timing code has not been used by any test
case ever. Delete it to remove complexity.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-10-08 12:39:30 +01:00
Daniel P. Berrange
4b8d387ef9 Test handling of non-existent x509 certs
In commit f905cc9984 a use of
uninitialized data was fixed based on a coverity report. It
turns out it was possible to trigger this issue by pointing
libvirt at non-existent certificate files, typically causing
a crash.

This adds a test case for that scenario. With the above
commit reverted, this new test case will crash with a SEGV.
With the fix applied, it passes, reporting a normal libvirt
error to the caller.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-21 13:51:25 +01:00
Martin Kletzander
3be7a30426 tests: Fix parallel runs of TLS test suites
I noticed this yesterday and fixed it in a different way, but ended up
with one more problem.  It was probably the way I fixed it combined
with one more filename changed.

Anyway, why I'm saying this is that one more filename should be renamed
in order to avoid a race (which I was unable to reproduce, though).

I checked this is the last file those two tests have in common by going
through the code and the re-checked by this "script":

strace -o session.trace -e open ./virnettlssessiontest
strace -o context.trace -e open ./virnettlscontexttest
sort \
 <(sed -n '/^open/s/open("\([^"]*\)",.*$/\1/p' context.trace | sort -u)\
 <(sed -n '/^open/s/open("\([^"]*\)",.*$/\1/p' session.trace | sort -u)\
 | uniq -d| grep '.pem$'

So it should be enough to make these tests independent of each other.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-12 20:20:00 -06:00
Daniel P. Berrange
eaa99a17db Fix parallel runs of TLS test suites
Use a separate keyfile name for the two TLS test suites so that
they don't clash when running tests in parallel

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-09 11:54:41 +01:00
Daniel P. Berrange
31d41d9268 Fix validation of CA certificate chains
The code added to validate CA certificates did not take into
account the possibility that the cacert.pem file can contain
multiple (concatenated) cert data blocks. Extend the code for
loading CA certs to use the gnutls APIs for loading cert lists.
Add test cases to check that multi-level trees of certs will
validate correctly.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-08 10:44:28 +01:00
Daniel P. Berrange
b93bd78ed3 Change data passed into TLS test cases
Currently a 'struct testTLSCertReq' instance is passed into
the TLS test cases. This is not flexible enough to cope with
certificate chains, where one file now corresponds to multiple
certificates. Change the test cases so that we pass in filenames
instead.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-08 10:02:12 +01:00
Daniel P. Berrange
90811c5987 Avoid re-generating certs every time
Currently every test case in the TLS test suite generates the
certs fresh. This is a waste of time, since its parameters
don't change across test cases. Create certs once in main
method.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-08 10:00:42 +01:00
Daniel P. Berrange
236da82dae Split TLS test into two separate tests
The virnettlscontexttest.c tests both virNetTLSContext
and virNetTLSSession functionality. Split into two
separate tests, to make the code size more manageable

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-08-08 10:00:42 +01:00
Daniel P. Berrange
0204d6d7a0 Fix TLS tests with gnutls 3
When given a CA cert with basic constraints to set non-critical,
and key usage of 'key signing', this should be rejected. Version
of GNUTLS < 3 do not rejecte it though, so we never noticed the
test case was broken

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 17:42:16 +00:00
John Ferlan
0eb62708a7 virnettlscontexttest: Resolve memory leak found by Valgrind
testTLSDerEncode() will allocate memory for der.data, it wasn't VIR_FREE()'d.
also don't initialized der to use static buffer.
2013-02-07 14:08:13 -05:00
John Ferlan
31e0de1a85 tests: Remove VIR_FREE() on static/stack buffer (der.data) 2013-01-23 15:02:06 +01:00
John Ferlan
51811e4161 Resolve COPY_PASTE error found by Coverity
Fix copy-paste error doing handshake.

The clientShake was not set to true, thus we'd potentially never leave
the handshake while loop.
2013-01-08 16:21:46 +01:00
Daniel P. Berrange
f24404a324 Rename virterror.c virterror_internal.h to virerror.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
44f6ae27fe Rename util.{c,h} to virutil.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
ab9b7ec2f6 Rename memory.{c,h} to viralloc.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
936d95d347 Rename logging.{c,h} to virlog.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
04d9510f50 Rename command.{c,h} to vircommand.{c,h} 2012-12-21 11:17:13 +00:00
Ján Tomko
149c87b49d Various typos and misspellings 2012-10-12 00:03:43 +02:00
Eric Blake
4ecb723b9e maint: fix up copyright notice inconsistencies
https://www.gnu.org/licenses/gpl-howto.html recommends that
the 'If not, see <url>.' phrase be a separate sentence.

* tests/securityselinuxhelper.c: Remove doubled line.
* tests/securityselinuxtest.c: Likewise.
* globally: s/;  If/.  If/
2012-09-20 16:30:55 -06:00
Daniel P. Berrange
e10e1969d5 Turn virNetTLSContext and virNetTLSSession into virObject instances
Make virNetTLSContext and virNetTLSSession use the virObject
APIs for reference counting

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-07 11:47:41 +01:00
Osier Yang
f9ce7dad60 Desert the FSF address in copyright
Per the FSF address could be changed from time to time, and GNU
recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)

  You should have received a copy of the GNU General Public License
  along with Foobar.  If not, see <http://www.gnu.org/licenses/>.

This patch removes the explicit FSF address, and uses above instead
(of course, with inserting 'Lesser' before 'General').

Except a bunch of files for security driver, all others are changed
automatically, the copyright for securify files are not complete,
that's why to do it manually:

  src/security/security_selinux.h
  src/security/security_driver.h
  src/security/security_selinux.c
  src/security/security_apparmor.h
  src/security/security_apparmor.c
  src/security/security_driver.c
2012-07-23 10:50:50 +08:00
Laine Stump
06a1a45cef test: fix build errors with gcc 4.7.0 and -O0
When building on Fedora 17 (which uses gcc 4.7.0) with -O0 in CFLAGS,
three of the tests failed to compile.

cputest.c and qemuxml2argvtest.c had non-static structs defined
inside the macro that was being repeatedly invoked. Due to some so-far
unidentified change in gcc, the stack space used by variables defined
inside { } is not recovered/re-used when the block ends, so all these
structs have become additive (this is the same problem worked around
in commit cf57d345b). Fortunately, these two files could be fixed with
a single line addition of "static" to the struct definition in the
macro.

virnettlscontexttest.c was a bit different, though. The problem structs
in the do/while loop of macros had non-constant initializers, so it
took a bit more work and piecemeal initialization instead of member
initialization to get things to be happy.

In an ideal world, none of these changes should be necessary, but not
knowing how long it will be until the gcc regressions are fixed, and
since the code is just as correct after this patch as before, it makes
sense to fix libvirt's build for -O0 while also reporting the gcc
problem.
2012-04-05 22:07:41 -06:00
Martin Kletzander
9943276fd2 Cleanup for a return statement in source files
Return statements with parameter enclosed in parentheses were modified
and parentheses were removed. The whole change was scripted, here is how:

List of files was obtained using this command:
git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' |             \
grep -e '\.[ch]$' -e '\.py$'

Found files were modified with this command:
sed -i -e                                                                 \
's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
-e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'

Then checked for nonsense.

The whole command looks like this:
git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' |             \
grep -e '\.[ch]$' -e '\.py$' | xargs sed -i -e                            \
's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
-e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
2012-03-26 14:45:22 -06:00
Philipp Hahn
08f680ee1b tests: virnettlscontexttest needs gnutls-2.6.0
virnettlscontexttest uses gnutls_x509_crt_set_subject_alt_name() and
GNUTLS_FSAN_APPEND, which - according to
<http://www.gnu.org/software/gnutls/manual/gnutls.html> - are only
available since 2.6.0.

Since libvirt still works fine with gnutls-1.0.25 from RHEL5, only
enable the test when the version of GNUTLS is at least 2.6.0.

Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Eric Blake <eblake@redhat.com>
2012-02-01 16:36:13 -07:00
Daniel P. Berrange
d3406045fd Split src/util/network.{c,h} into 5 pieces
The src/util/network.c file is a dumping ground for many different
APIs. Split it up into 5 pieces, along functional lines

 - src/util/virnetdevbandwidth.c: virNetDevBandwidth type & helper APIs
 - src/util/virnetdevvportprofile.c: virNetDevVPortProfile type & helper APIs
 - src/util/virsocketaddr.c: virSocketAddr and APIs
 - src/conf/netdev_bandwidth_conf.c: XML parsing / formatting
   for virNetDevBandwidth
 - src/conf/netdev_vport_profile_conf.c: XML parsing / formatting
   for virNetDevVPortProfile

* src/util/network.c, src/util/network.h: Split into 5 pieces
* src/conf/netdev_bandwidth_conf.c, src/conf/netdev_bandwidth_conf.h,
  src/conf/netdev_vport_profile_conf.c, src/conf/netdev_vport_profile_conf.h,
  src/util/virnetdevbandwidth.c, src/util/virnetdevbandwidth.h,
  src/util/virnetdevvportprofile.c, src/util/virnetdevvportprofile.h,
  src/util/virsocketaddr.c, src/util/virsocketaddr.h: New pieces
* daemon/libvirtd.h, daemon/remote.c, src/conf/domain_conf.c,
  src/conf/domain_conf.h, src/conf/network_conf.c,
  src/conf/network_conf.h, src/conf/nwfilter_conf.h,
  src/esx/esx_util.h, src/network/bridge_driver.c,
  src/qemu/qemu_conf.c, src/rpc/virnetsocket.c,
  src/rpc/virnetsocket.h, src/util/dnsmasq.h, src/util/interface.h,
  src/util/iptables.h, src/util/macvtap.c, src/util/macvtap.h,
  src/util/virnetdev.h, src/util/virnetdevtap.c,
  tools/virsh.c: Update include files
2011-11-15 10:27:54 +00:00
Daniel P. Berrange
4c544e6c61 Santize naming of socket address APIs
The socket address APIs in src/util/network.h either take the
form  virSocketAddrXXX, virSocketXXX or virSocketXXXAddr.

Sanitize this so everything is virSocketAddrXXXX, and ensure
that the virSocketAddr parameter is always the first one.

* src/util/network.c, src/util/network.h: Santize socket
  address API naming
* src/conf/domain_conf.c, src/conf/network_conf.c,
  src/conf/nwfilter_conf.c, src/network/bridge_driver.c,
  src/nwfilter/nwfilter_ebiptables_driver.c,
  src/nwfilter/nwfilter_learnipaddr.c,
  src/qemu/qemu_command.c, src/rpc/virnetsocket.c,
  src/util/dnsmasq.c, src/util/iptables.c,
  src/util/virnetdev.c, src/vbox/vbox_tmpl.c: Update for
  API renaming
2011-11-09 17:10:23 +00:00
Alex Jia
3a89819de8 tests: avoid memory leak on testTLSSessionInit
* tests/virnettlscontexttest: fix memory leak on virnettlscontext test case.

* Detected in valgrind run:

==25667==
==25667== 86,651 (34,680 direct, 51,971 indirect) bytes in 10 blocks are
definitely lost in loss record 350 of 351
==25667==    at 0x4005447: calloc (vg_replace_malloc.c:467)
==25667==    by 0x4F1F515D: gnutls_init (gnutls_state.c:270)
==25667==    by 0x8053432: virNetTLSSessionNew (virnettlscontext.c:1181)
==25667==    by 0x804DD24: testTLSSessionInit (virnettlscontexttest.c:624)
==25667==    by 0x804F14D: virtTestRun (testutils.c:140)
==25667==
==25667== 100,578 (38,148 direct, 62,430 indirect) bytes in 11 blocks are
definitely lost in loss record 351 of 351
==25667==    at 0x4005447: calloc (vg_replace_malloc.c:467)
==25667==    by 0x4F1F515D: gnutls_init (gnutls_state.c:270)
==25667==    by 0x8053432: virNetTLSSessionNew (virnettlscontext.c:1181)
==25667==    by 0x804DD3C: testTLSSessionInit (virnettlscontexttest.c:625)
==25667==    by 0x804F14D: virtTestRun (testutils.c:140)

* How to reproduce?
% cd libvirt && ./configure && make && make -C tests valgrind
or
% valgrind -v --leak-check=full ./tests/virnettlscontexttest

Signed-off-by: Alex Jia <ajia@redhat.com>
2011-09-08 11:03:34 +01:00
Matthias Bolte
099d30a825 Fix detection of GnuTLS 1.x.y
Detection based on gnutls_session doesn't work because GnuTLS 2.x.y
comes with a compat.h that defines gnutls_session to gnutls_session_t.

Instead detect this based on LIBGNUTLS_VERSION_MAJOR. Move this from
configure/config.h to gnutls_1_0_compat.h and make sure that all users
include gnutls_1_0_compat.h properly.

Also fix header guard in gnutls_1_0_compat.h.
2011-08-03 19:22:29 +02:00
Matthias Bolte
cffba7ea3e tests: Unify style of test skipping code
Prefer 'return EXIT_AM_SKIP' over 'exit(EXIT_AM_SKIP)'.

Prefer 'int main(void)' over 'int main(int argc, char **argv)'.

Fix mymain signature in commandtest and nodeinfotest.
2011-07-29 12:12:58 +02:00
Daniel P. Berrange
4d349ef7be Fix build with gnutls 1.0.x branch 2011-07-26 14:51:03 +01:00
Daniel P. Berrange
677258ab02 Fix import of private key with older gnutls
With older GNUTLS the gnutls_x509_privkey_import function is
unable to import our private key. Instead we must use the
alternative gnutls_x509_privkey_import_pkcs8() (as certtool
does).

* virnettlscontexttest.c: Fix import of private key with
  older gnutls. Also add missing newlines to key
2011-07-25 13:47:11 -06:00
Daniel P. Berrange
567b8d69b9 Fix TLS context tests with expired certs
commit 5283ea9b1d changed the
semantics of the 'expire_offset' field in the test case struct
so that instead of being an absolute timestamp, it was a delta
relative to the current time. This broke the test cases which
were testing expiry of certificates, by putting the expiry
time into the future, instead of in the past.

Fix this by changing the expiry values to be negative, so that
the delta goes into the past again.

* virnettlscontexttest.c: Fix expiry tests
2011-07-25 16:21:19 +01:00
Eric Blake
d1f144d6fe tests: detect gnutls errors
* tests/virnettlscontexttest.c (testTLSLoadKey): Report errors.
2011-07-25 13:51:50 +08:00
Eric Blake
5283ea9b1d tests: fix compilation failures
Even though gnutls is a hard-req for libvirt, and gnutls depends
on libtasn1, that does not mean that you have to have the libtasn1
development files installed.  Skip the test rather than failing
compilation in that case.

With newer gcc, the test consumed too much stack space.  Move
things to static storage to fix that.

* configure.ac (AC_CHECK_HEADERS): Check for libtasn1.h.
(HAVE_LIBTASN1): New automake conditional.
* tests/Makefile.am (virnettlsconvirnettlscontexttest_SOURCES)
(virnettlscontexttest_LDADD): Allow compilation without libtasn1.
* tests/virnettlscontexttest.c: Skip test if headers not present.
(struct testTLSCertReq): Alter time members.
(testTLSGenerateCert): Reflect the change.
(mymain): Reduce stack usage.
2011-07-25 13:48:26 +08:00
Daniel P. Berrange
bd789dff80 Add a test case for certificate validation
This test case checks certification validation rules for

 - Basic constraints
 - Key purpose
 - Key usage
 - Start/expiry times

It checks initial context creation sanity checks, and live
session validation
2011-07-22 15:18:32 +01:00