struct testTLSContextData {
bool isServer;
- struct testTLSCertReq careq;
- struct testTLSCertReq certreq;
+ const char *cacrt;
+ const char *crt;
bool expectFail;
};
int ret = -1;
if (data->isServer) {
- ctxt = virNetTLSContextNewServer(data->careq.filename,
+ ctxt = virNetTLSContextNewServer(data->cacrt,
NULL,
- data->certreq.filename,
+ data->crt,
keyfile,
NULL,
true,
true);
} else {
- ctxt = virNetTLSContextNewClient(data->careq.filename,
+ ctxt = virNetTLSContextNewClient(data->cacrt,
NULL,
- data->certreq.filename,
+ data->crt,
keyfile,
true,
true);
if (ctxt) {
if (data->expectFail) {
VIR_WARN("Expected failure %s against %s",
- data->careq.filename, data->certreq.filename);
+ data->cacrt, data->crt);
goto cleanup;
}
} else {
virErrorPtr err = virGetLastError();
if (!data->expectFail) {
VIR_WARN("Unexpected failure %s against %s",
- data->careq.filename, data->certreq.filename);
+ data->cacrt, data->crt);
goto cleanup;
}
VIR_DEBUG("Got error %s", err ? err->message : "<unknown>");
testTLSInit();
-# define DO_CTX_TEST(_isServer, _caReq, _certReq, _expectFail) \
+# define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \
do { \
static struct testTLSContextData data; \
data.isServer = _isServer; \
- data.careq = _caReq; \
- data.certreq = _certReq; \
+ data.cacrt = _caCrt; \
+ data.crt = _crt; \
data.expectFail = _expectFail; \
- if (virtTestRun("TLS Context " #_caReq " + " #_certReq, 1, \
+ if (virtTestRun("TLS Context " #_caCrt " + " #_crt, 1, \
testTLSContextInit, &data) < 0) \
ret = -1; \
} while (0)
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
- NULL, #varname ".pem", \
+ NULL, #varname "-ctx.pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
}; \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
- NULL, #varname ".pem", \
+ NULL, #varname "-ctx.pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
}; \
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
- DO_CTX_TEST(true, cacertreq, servercertreq, false);
- DO_CTX_TEST(false, cacertreq, clientcertreq, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercertreq.filename, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcertreq.filename, false);
/* Some other CAs which are good */
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
- DO_CTX_TEST(true, cacert1req, servercert1req, false);
- DO_CTX_TEST(true, cacert2req, servercert2req, false);
- DO_CTX_TEST(true, cacert3req, servercert3req, false);
+ DO_CTX_TEST(true, cacert1req.filename, servercert1req.filename, false);
+ DO_CTX_TEST(true, cacert2req.filename, servercert2req.filename, false);
+ DO_CTX_TEST(true, cacert3req.filename, servercert3req.filename, false);
/* Now some bad certs */
* be rejected. GNUTLS < 3 does not reject it and
* we don't anticipate them changing this behaviour
*/
- DO_CTX_TEST(true, cacert4req, servercert4req, GNUTLS_VERSION_MAJOR >= 3);
- DO_CTX_TEST(true, cacert5req, servercert5req, true);
- DO_CTX_TEST(true, cacert6req, servercert6req, true);
+ DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename, GNUTLS_VERSION_MAJOR >= 3);
+ DO_CTX_TEST(true, cacert5req.filename, servercert5req.filename, true);
+ DO_CTX_TEST(true, cacert6req.filename, servercert6req.filename, true);
/* Various good servers */
true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
0, 0);
- DO_CTX_TEST(true, cacertreq, servercert7req, false);
- DO_CTX_TEST(true, cacertreq, servercert8req, false);
- DO_CTX_TEST(true, cacertreq, servercert9req, false);
- DO_CTX_TEST(true, cacertreq, servercert10req, false);
- DO_CTX_TEST(true, cacertreq, servercert11req, false);
- DO_CTX_TEST(true, cacertreq, servercert12req, false);
- DO_CTX_TEST(true, cacertreq, servercert13req, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercert7req.filename, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercert8req.filename, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercert9req.filename, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercert10req.filename, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercert11req.filename, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercert12req.filename, false);
+ DO_CTX_TEST(true, cacertreq.filename, servercert13req.filename, false);
/* Bad servers */
/* usage:cert-sign:critical */
false, false, NULL, NULL,
0, 0);
- DO_CTX_TEST(true, cacertreq, servercert14req, true);
- DO_CTX_TEST(true, cacertreq, servercert15req, true);
- DO_CTX_TEST(true, cacertreq, servercert16req, true);
+ DO_CTX_TEST(true, cacertreq.filename, servercert14req.filename, true);
+ DO_CTX_TEST(true, cacertreq.filename, servercert15req.filename, true);
+ DO_CTX_TEST(true, cacertreq.filename, servercert16req.filename, true);
true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
0, 0);
- DO_CTX_TEST(false, cacertreq, clientcert1req, false);
- DO_CTX_TEST(false, cacertreq, clientcert2req, false);
- DO_CTX_TEST(false, cacertreq, clientcert3req, false);
- DO_CTX_TEST(false, cacertreq, clientcert4req, false);
- DO_CTX_TEST(false, cacertreq, clientcert5req, false);
- DO_CTX_TEST(false, cacertreq, clientcert6req, false);
- DO_CTX_TEST(false, cacertreq, clientcert7req, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert1req.filename, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert2req.filename, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert3req.filename, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert4req.filename, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert5req.filename, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert6req.filename, false);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert7req.filename, false);
/* Bad clients */
/* usage:cert-sign:critical */
false, false, NULL, NULL,
0, 0);
- DO_CTX_TEST(false, cacertreq, clientcert8req, true);
- DO_CTX_TEST(false, cacertreq, clientcert9req, true);
- DO_CTX_TEST(false, cacertreq, clientcert10req, true);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert8req.filename, true);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert9req.filename, true);
+ DO_CTX_TEST(false, cacertreq.filename, clientcert10req.filename, true);
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, -1);
- DO_CTX_TEST(true, cacertexpreq, servercertexpreq, true);
- DO_CTX_TEST(true, cacertreq, servercertexp1req, true);
- DO_CTX_TEST(false, cacertreq, clientcertexp1req, true);
+ DO_CTX_TEST(true, cacertexpreq.filename, servercertexpreq.filename, true);
+ DO_CTX_TEST(true, cacertreq.filename, servercertexp1req.filename, true);
+ DO_CTX_TEST(false, cacertreq.filename, clientcertexp1req.filename, true);
/* Not activated stuff */
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
1, 2);
- DO_CTX_TEST(true, cacertnewreq, servercertnewreq, true);
- DO_CTX_TEST(true, cacertreq, servercertnew1req, true);
- DO_CTX_TEST(false, cacertreq, clientcertnew1req, true);
+ DO_CTX_TEST(true, cacertnewreq.filename, servercertnewreq.filename, true);
+ DO_CTX_TEST(true, cacertreq.filename, servercertnew1req.filename, true);
+ DO_CTX_TEST(false, cacertreq.filename, clientcertnew1req.filename, true);
testTLSDiscardCert(&cacertreq);
testTLSDiscardCert(&cacert1req);
# define VIR_FROM_THIS VIR_FROM_RPC
struct testTLSSessionData {
- struct testTLSCertReq careq;
- struct testTLSCertReq othercareq;
- struct testTLSCertReq serverreq;
- struct testTLSCertReq clientreq;
+ const char *servercacrt;
+ const char *clientcacrt;
+ const char *servercrt;
+ const char *clientcrt;
bool expectServerFail;
bool expectClientFail;
const char *hostname;
* want to make sure that problems are being
* detected at the TLS session validation stage
*/
- serverCtxt = virNetTLSContextNewServer(data->careq.filename,
+ serverCtxt = virNetTLSContextNewServer(data->servercacrt,
NULL,
- data->serverreq.filename,
+ data->servercrt,
keyfile,
data->wildcards,
false,
true);
- clientCtxt = virNetTLSContextNewClient(data->othercareq.filename ?
- data->othercareq.filename :
- data->careq.filename,
+ clientCtxt = virNetTLSContextNewClient(data->clientcacrt,
NULL,
- data->clientreq.filename,
+ data->clientcrt,
keyfile,
false,
true);
if (!serverCtxt) {
VIR_WARN("Unexpected failure loading %s against %s",
- data->careq.filename, data->serverreq.filename);
+ data->servercacrt, data->servercrt);
goto cleanup;
}
if (!clientCtxt) {
VIR_WARN("Unexpected failure loading %s against %s",
- data->othercareq.filename ? data->othercareq.filename :
- data->careq.filename, data->clientreq.filename);
+ data->clientcacrt, data->clientcrt);
goto cleanup;
}
if (!serverSess) {
VIR_WARN("Unexpected failure using %s against %s",
- data->careq.filename, data->serverreq.filename);
+ data->servercacrt, data->servercrt);
goto cleanup;
}
if (!clientSess) {
VIR_WARN("Unexpected failure using %s against %s",
- data->othercareq.filename ? data->othercareq.filename :
- data->careq.filename, data->clientreq.filename);
+ data->clientcacrt, data->clientcrt);
goto cleanup;
}
testTLSInit();
-# define DO_SESS_TEST(_caReq, _serverReq, _clientReq, _expectServerFail,\
+# define DO_SESS_TEST(_caCrt, _serverCrt, _clientCrt, _expectServerFail, \
_expectClientFail, _hostname, _wildcards) \
do { \
static struct testTLSSessionData data; \
- static struct testTLSCertReq other; \
- data.careq = _caReq; \
- data.othercareq = other; \
- data.serverreq = _serverReq; \
- data.clientreq = _clientReq; \
+ data.servercacrt = _caCrt; \
+ data.clientcacrt = _caCrt; \
+ data.servercrt = _serverCrt; \
+ data.clientcrt = _clientCrt; \
data.expectServerFail = _expectServerFail; \
data.expectClientFail = _expectClientFail; \
data.hostname = _hostname; \
data.wildcards = _wildcards; \
- if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
+ if (virtTestRun("TLS Session " #_serverCrt " + " #_clientCrt, \
1, testTLSSessionInit, &data) < 0) \
ret = -1; \
} while (0)
-# define DO_SESS_TEST_EXT(_caReq, _othercaReq, _serverReq, _clientReq, \
+# define DO_SESS_TEST_EXT(_serverCaCrt, _clientCaCrt, _serverCrt, _clientCrt, \
_expectServerFail, _expectClientFail, \
_hostname, _wildcards) \
do { \
static struct testTLSSessionData data; \
- data.careq = _caReq; \
- data.othercareq = _othercaReq; \
- data.serverreq = _serverReq; \
- data.clientreq = _clientReq; \
+ data.servercacrt = _serverCaCrt; \
+ data.clientcacrt = _clientCaCrt; \
+ data.servercrt = _serverCrt; \
+ data.clientcrt = _clientCrt; \
data.expectServerFail = _expectServerFail; \
data.expectClientFail = _expectClientFail; \
data.hostname = _hostname; \
data.wildcards = _wildcards; \
- if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
+ if (virtTestRun("TLS Session " #_serverCrt " + " #_clientCrt, \
1, testTLSSessionInit, &data) < 0) \
ret = -1; \
} while (0)
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
- NULL, #varname ".pem", \
+ NULL, #varname "-sess.pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
}; \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
- NULL, #varname ".pem", \
+ NULL, #varname "-sess.pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
}; \
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
- DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", NULL);
- DO_SESS_TEST_EXT(cacertreq, altcacertreq, servercertreq, clientcertaltreq, true, true, "libvirt.org", NULL);
+ DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
+ false, false, "libvirt.org", NULL);
+ DO_SESS_TEST_EXT(cacertreq.filename, altcacertreq.filename, servercertreq.filename,
+ clientcertaltreq.filename, true, true, "libvirt.org", NULL);
/* When an altname is set, the CN is ignored, so it must be duplicated
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
- DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "libvirt.org", NULL);
- DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "www.libvirt.org", NULL);
- DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, true, "wiki.libvirt.org", NULL);
+ DO_SESS_TEST(cacertreq.filename, servercertalt1req.filename, clientcertreq.filename,
+ false, false, "libvirt.org", NULL);
+ DO_SESS_TEST(cacertreq.filename, servercertalt1req.filename, clientcertreq.filename,
+ false, false, "www.libvirt.org", NULL);
+ DO_SESS_TEST(cacertreq.filename, servercertalt1req.filename, clientcertreq.filename,
+ false, true, "wiki.libvirt.org", NULL);
- DO_SESS_TEST(cacertreq, servercertalt2req, clientcertreq, false, true, "libvirt.org", NULL);
- DO_SESS_TEST(cacertreq, servercertalt2req, clientcertreq, false, false, "www.libvirt.org", NULL);
- DO_SESS_TEST(cacertreq, servercertalt2req, clientcertreq, false, false, "wiki.libvirt.org", NULL);
+ DO_SESS_TEST(cacertreq.filename, servercertalt2req.filename, clientcertreq.filename,
+ false, true, "libvirt.org", NULL);
+ DO_SESS_TEST(cacertreq.filename, servercertalt2req.filename, clientcertreq.filename,
+ false, false, "www.libvirt.org", NULL);
+ DO_SESS_TEST(cacertreq.filename, servercertalt2req.filename, clientcertreq.filename,
+ false, false, "wiki.libvirt.org", NULL);
const char *const wildcards1[] = {
"C=UK,CN=dogfood",
NULL,
};
- DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, true, false, "libvirt.org", wildcards1);
- DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards2);
- DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards3);
- DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, true, false, "libvirt.org", wildcards4);
- DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards5);
- DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards6);
+ DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
+ true, false, "libvirt.org", wildcards1);
+ DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
+ false, false, "libvirt.org", wildcards2);
+ DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
+ false, false, "libvirt.org", wildcards3);
+ DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
+ true, false, "libvirt.org", wildcards4);
+ DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
+ false, false, "libvirt.org", wildcards5);
+ DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename,
+ false, false, "libvirt.org", wildcards6);
testTLSDiscardCert(&clientcertreq);
testTLSDiscardCert(&clientcertaltreq);
projects / people / dariof / libvirt.git / commitdiff