From 252f0445c26644a711dc2c41ee2fcebe42eac742 Mon Sep 17 00:00:00 2001 Message-Id: <252f0445c26644a711dc2c41ee2fcebe42eac742.1377873637.git.jdenemar@redhat.com> From: "Daniel P. Berrange" Date: Tue, 13 Aug 2013 11:32:47 +0100 Subject: [PATCH] Change data passed into TLS test cases For https://bugzilla.redhat.com/show_bug.cgi?id=994158 Currently a 'struct testTLSCertReq' instance is passed into the TLS test cases. This is not flexible enough to cope with certificate chains, where one file now corresponds to multiple certificates. Change the test cases so that we pass in filenames instead. Signed-off-by: Daniel P. Berrange (cherry picked from commit b93bd78ed36570c1afe594182df927d94ea6ebaa) --- tests/virnettlscontexttest.c | 96 +++++++++++++++++++++--------------------- tests/virnettlssessiontest.c | 99 ++++++++++++++++++++++++-------------------- 2 files changed, 102 insertions(+), 93 deletions(-) diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c index 4211a74..3012c4a 100644 --- a/tests/virnettlscontexttest.c +++ b/tests/virnettlscontexttest.c @@ -42,8 +42,8 @@ struct testTLSContextData { bool isServer; - struct testTLSCertReq careq; - struct testTLSCertReq certreq; + const char *cacrt; + const char *crt; bool expectFail; }; @@ -63,17 +63,17 @@ static int testTLSContextInit(const void *opaque) int ret = -1; if (data->isServer) { - ctxt = virNetTLSContextNewServer(data->careq.filename, + ctxt = virNetTLSContextNewServer(data->cacrt, NULL, - data->certreq.filename, + data->crt, keyfile, NULL, true, true); } else { - ctxt = virNetTLSContextNewClient(data->careq.filename, + ctxt = virNetTLSContextNewClient(data->cacrt, NULL, - data->certreq.filename, + data->crt, keyfile, true, true); @@ -82,14 +82,14 @@ static int testTLSContextInit(const void *opaque) if (ctxt) { if (data->expectFail) { VIR_WARN("Expected failure %s against %s", - data->careq.filename, data->certreq.filename); + data->cacrt, data->crt); goto cleanup; } } else { virErrorPtr err = virGetLastError(); if (!data->expectFail) { VIR_WARN("Unexpected failure %s against %s", - data->careq.filename, data->certreq.filename); + data->cacrt, data->crt); goto cleanup; } VIR_DEBUG("Got error %s", err ? err->message : ""); @@ -111,14 +111,14 @@ mymain(void) testTLSInit(); -# define DO_CTX_TEST(_isServer, _caReq, _certReq, _expectFail) \ +# define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \ do { \ static struct testTLSContextData data; \ data.isServer = _isServer; \ - data.careq = _caReq; \ - data.certreq = _certReq; \ + data.cacrt = _caCrt; \ + data.crt = _crt; \ data.expectFail = _expectFail; \ - if (virtTestRun("TLS Context " #_caReq " + " #_certReq, 1, \ + if (virtTestRun("TLS Context " #_caCrt " + " #_crt, 1, \ testTLSContextInit, &data) < 0) \ ret = -1; \ } while (0) @@ -127,7 +127,7 @@ mymain(void) co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \ static struct testTLSCertReq varname = { \ - NULL, #varname ".pem", \ + NULL, #varname "-ctx.pem", \ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \ }; \ @@ -137,7 +137,7 @@ mymain(void) co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \ static struct testTLSCertReq varname = { \ - NULL, #varname ".pem", \ + NULL, #varname "-ctx.pem", \ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \ }; \ @@ -167,8 +167,8 @@ mymain(void) true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); - DO_CTX_TEST(true, cacertreq, servercertreq, false); - DO_CTX_TEST(false, cacertreq, clientcertreq, false); + DO_CTX_TEST(true, cacertreq.filename, servercertreq.filename, false); + DO_CTX_TEST(false, cacertreq.filename, clientcertreq.filename, false); /* Some other CAs which are good */ @@ -215,9 +215,9 @@ mymain(void) true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); - DO_CTX_TEST(true, cacert1req, servercert1req, false); - DO_CTX_TEST(true, cacert2req, servercert2req, false); - DO_CTX_TEST(true, cacert3req, servercert3req, false); + DO_CTX_TEST(true, cacert1req.filename, servercert1req.filename, false); + DO_CTX_TEST(true, cacert2req.filename, servercert2req.filename, false); + DO_CTX_TEST(true, cacert3req.filename, servercert3req.filename, false); /* Now some bad certs */ @@ -266,9 +266,9 @@ mymain(void) * be rejected. GNUTLS < 3 does not reject it and * we don't anticipate them changing this behaviour */ - DO_CTX_TEST(true, cacert4req, servercert4req, GNUTLS_VERSION_MAJOR >= 3); - DO_CTX_TEST(true, cacert5req, servercert5req, true); - DO_CTX_TEST(true, cacert6req, servercert6req, true); + DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename, GNUTLS_VERSION_MAJOR >= 3); + DO_CTX_TEST(true, cacert5req.filename, servercert5req.filename, true); + DO_CTX_TEST(true, cacert6req.filename, servercert6req.filename, true); /* Various good servers */ @@ -322,13 +322,13 @@ mymain(void) true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, 0, 0); - DO_CTX_TEST(true, cacertreq, servercert7req, false); - DO_CTX_TEST(true, cacertreq, servercert8req, false); - DO_CTX_TEST(true, cacertreq, servercert9req, false); - DO_CTX_TEST(true, cacertreq, servercert10req, false); - DO_CTX_TEST(true, cacertreq, servercert11req, false); - DO_CTX_TEST(true, cacertreq, servercert12req, false); - DO_CTX_TEST(true, cacertreq, servercert13req, false); + DO_CTX_TEST(true, cacertreq.filename, servercert7req.filename, false); + DO_CTX_TEST(true, cacertreq.filename, servercert8req.filename, false); + DO_CTX_TEST(true, cacertreq.filename, servercert9req.filename, false); + DO_CTX_TEST(true, cacertreq.filename, servercert10req.filename, false); + DO_CTX_TEST(true, cacertreq.filename, servercert11req.filename, false); + DO_CTX_TEST(true, cacertreq.filename, servercert12req.filename, false); + DO_CTX_TEST(true, cacertreq.filename, servercert13req.filename, false); /* Bad servers */ /* usage:cert-sign:critical */ @@ -353,9 +353,9 @@ mymain(void) false, false, NULL, NULL, 0, 0); - DO_CTX_TEST(true, cacertreq, servercert14req, true); - DO_CTX_TEST(true, cacertreq, servercert15req, true); - DO_CTX_TEST(true, cacertreq, servercert16req, true); + DO_CTX_TEST(true, cacertreq.filename, servercert14req.filename, true); + DO_CTX_TEST(true, cacertreq.filename, servercert15req.filename, true); + DO_CTX_TEST(true, cacertreq.filename, servercert16req.filename, true); @@ -410,13 +410,13 @@ mymain(void) true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, 0, 0); - DO_CTX_TEST(false, cacertreq, clientcert1req, false); - DO_CTX_TEST(false, cacertreq, clientcert2req, false); - DO_CTX_TEST(false, cacertreq, clientcert3req, false); - DO_CTX_TEST(false, cacertreq, clientcert4req, false); - DO_CTX_TEST(false, cacertreq, clientcert5req, false); - DO_CTX_TEST(false, cacertreq, clientcert6req, false); - DO_CTX_TEST(false, cacertreq, clientcert7req, false); + DO_CTX_TEST(false, cacertreq.filename, clientcert1req.filename, false); + DO_CTX_TEST(false, cacertreq.filename, clientcert2req.filename, false); + DO_CTX_TEST(false, cacertreq.filename, clientcert3req.filename, false); + DO_CTX_TEST(false, cacertreq.filename, clientcert4req.filename, false); + DO_CTX_TEST(false, cacertreq.filename, clientcert5req.filename, false); + DO_CTX_TEST(false, cacertreq.filename, clientcert6req.filename, false); + DO_CTX_TEST(false, cacertreq.filename, clientcert7req.filename, false); /* Bad clients */ /* usage:cert-sign:critical */ @@ -441,9 +441,9 @@ mymain(void) false, false, NULL, NULL, 0, 0); - DO_CTX_TEST(false, cacertreq, clientcert8req, true); - DO_CTX_TEST(false, cacertreq, clientcert9req, true); - DO_CTX_TEST(false, cacertreq, clientcert10req, true); + DO_CTX_TEST(false, cacertreq.filename, clientcert8req.filename, true); + DO_CTX_TEST(false, cacertreq.filename, clientcert9req.filename, true); + DO_CTX_TEST(false, cacertreq.filename, clientcert10req.filename, true); @@ -474,9 +474,9 @@ mymain(void) true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, -1); - DO_CTX_TEST(true, cacertexpreq, servercertexpreq, true); - DO_CTX_TEST(true, cacertreq, servercertexp1req, true); - DO_CTX_TEST(false, cacertreq, clientcertexp1req, true); + DO_CTX_TEST(true, cacertexpreq.filename, servercertexpreq.filename, true); + DO_CTX_TEST(true, cacertreq.filename, servercertexp1req.filename, true); + DO_CTX_TEST(false, cacertreq.filename, clientcertexp1req.filename, true); /* Not activated stuff */ @@ -506,9 +506,9 @@ mymain(void) true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 1, 2); - DO_CTX_TEST(true, cacertnewreq, servercertnewreq, true); - DO_CTX_TEST(true, cacertreq, servercertnew1req, true); - DO_CTX_TEST(false, cacertreq, clientcertnew1req, true); + DO_CTX_TEST(true, cacertnewreq.filename, servercertnewreq.filename, true); + DO_CTX_TEST(true, cacertreq.filename, servercertnew1req.filename, true); + DO_CTX_TEST(false, cacertreq.filename, clientcertnew1req.filename, true); testTLSDiscardCert(&cacertreq); testTLSDiscardCert(&cacert1req); diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c index 370ba52..8636fc8 100644 --- a/tests/virnettlssessiontest.c +++ b/tests/virnettlssessiontest.c @@ -39,10 +39,10 @@ # define VIR_FROM_THIS VIR_FROM_RPC struct testTLSSessionData { - struct testTLSCertReq careq; - struct testTLSCertReq othercareq; - struct testTLSCertReq serverreq; - struct testTLSCertReq clientreq; + const char *servercacrt; + const char *clientcacrt; + const char *servercrt; + const char *clientcrt; bool expectServerFail; bool expectClientFail; const char *hostname; @@ -104,32 +104,29 @@ static int testTLSSessionInit(const void *opaque) * want to make sure that problems are being * detected at the TLS session validation stage */ - serverCtxt = virNetTLSContextNewServer(data->careq.filename, + serverCtxt = virNetTLSContextNewServer(data->servercacrt, NULL, - data->serverreq.filename, + data->servercrt, keyfile, data->wildcards, false, true); - clientCtxt = virNetTLSContextNewClient(data->othercareq.filename ? - data->othercareq.filename : - data->careq.filename, + clientCtxt = virNetTLSContextNewClient(data->clientcacrt, NULL, - data->clientreq.filename, + data->clientcrt, keyfile, false, true); if (!serverCtxt) { VIR_WARN("Unexpected failure loading %s against %s", - data->careq.filename, data->serverreq.filename); + data->servercacrt, data->servercrt); goto cleanup; } if (!clientCtxt) { VIR_WARN("Unexpected failure loading %s against %s", - data->othercareq.filename ? data->othercareq.filename : - data->careq.filename, data->clientreq.filename); + data->clientcacrt, data->clientcrt); goto cleanup; } @@ -140,13 +137,12 @@ static int testTLSSessionInit(const void *opaque) if (!serverSess) { VIR_WARN("Unexpected failure using %s against %s", - data->careq.filename, data->serverreq.filename); + data->servercacrt, data->servercrt); goto cleanup; } if (!clientSess) { VIR_WARN("Unexpected failure using %s against %s", - data->othercareq.filename ? data->othercareq.filename : - data->careq.filename, data->clientreq.filename); + data->clientcacrt, data->clientcrt); goto cleanup; } @@ -242,38 +238,37 @@ mymain(void) testTLSInit(); -# define DO_SESS_TEST(_caReq, _serverReq, _clientReq, _expectServerFail,\ +# define DO_SESS_TEST(_caCrt, _serverCrt, _clientCrt, _expectServerFail, \ _expectClientFail, _hostname, _wildcards) \ do { \ static struct testTLSSessionData data; \ - static struct testTLSCertReq other; \ - data.careq = _caReq; \ - data.othercareq = other; \ - data.serverreq = _serverReq; \ - data.clientreq = _clientReq; \ + data.servercacrt = _caCrt; \ + data.clientcacrt = _caCrt; \ + data.servercrt = _serverCrt; \ + data.clientcrt = _clientCrt; \ data.expectServerFail = _expectServerFail; \ data.expectClientFail = _expectClientFail; \ data.hostname = _hostname; \ data.wildcards = _wildcards; \ - if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \ + if (virtTestRun("TLS Session " #_serverCrt " + " #_clientCrt, \ 1, testTLSSessionInit, &data) < 0) \ ret = -1; \ } while (0) -# define DO_SESS_TEST_EXT(_caReq, _othercaReq, _serverReq, _clientReq, \ +# define DO_SESS_TEST_EXT(_serverCaCrt, _clientCaCrt, _serverCrt, _clientCrt, \ _expectServerFail, _expectClientFail, \ _hostname, _wildcards) \ do { \ static struct testTLSSessionData data; \ - data.careq = _caReq; \ - data.othercareq = _othercaReq; \ - data.serverreq = _serverReq; \ - data.clientreq = _clientReq; \ + data.servercacrt = _serverCaCrt; \ + data.clientcacrt = _clientCaCrt; \ + data.servercrt = _serverCrt; \ + data.clientcrt = _clientCrt; \ data.expectServerFail = _expectServerFail; \ data.expectClientFail = _expectClientFail; \ data.hostname = _hostname; \ data.wildcards = _wildcards; \ - if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \ + if (virtTestRun("TLS Session " #_serverCrt " + " #_clientCrt, \ 1, testTLSSessionInit, &data) < 0) \ ret = -1; \ } while (0) @@ -282,7 +277,7 @@ mymain(void) co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \ static struct testTLSCertReq varname = { \ - NULL, #varname ".pem", \ + NULL, #varname "-sess.pem", \ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \ }; \ @@ -292,7 +287,7 @@ mymain(void) co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \ static struct testTLSCertReq varname = { \ - NULL, #varname ".pem", \ + NULL, #varname "-sess.pem", \ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \ }; \ @@ -335,8 +330,10 @@ mymain(void) true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); - DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", NULL); - DO_SESS_TEST_EXT(cacertreq, altcacertreq, servercertreq, clientcertaltreq, true, true, "libvirt.org", NULL); + DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename, + false, false, "libvirt.org", NULL); + DO_SESS_TEST_EXT(cacertreq.filename, altcacertreq.filename, servercertreq.filename, + clientcertaltreq.filename, true, true, "libvirt.org", NULL); /* When an altname is set, the CN is ignored, so it must be duplicated @@ -355,13 +352,19 @@ mymain(void) true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); - DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "libvirt.org", NULL); - DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "www.libvirt.org", NULL); - DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, true, "wiki.libvirt.org", NULL); + DO_SESS_TEST(cacertreq.filename, servercertalt1req.filename, clientcertreq.filename, + false, false, "libvirt.org", NULL); + DO_SESS_TEST(cacertreq.filename, servercertalt1req.filename, clientcertreq.filename, + false, false, "www.libvirt.org", NULL); + DO_SESS_TEST(cacertreq.filename, servercertalt1req.filename, clientcertreq.filename, + false, true, "wiki.libvirt.org", NULL); - DO_SESS_TEST(cacertreq, servercertalt2req, clientcertreq, false, true, "libvirt.org", NULL); - DO_SESS_TEST(cacertreq, servercertalt2req, clientcertreq, false, false, "www.libvirt.org", NULL); - DO_SESS_TEST(cacertreq, servercertalt2req, clientcertreq, false, false, "wiki.libvirt.org", NULL); + DO_SESS_TEST(cacertreq.filename, servercertalt2req.filename, clientcertreq.filename, + false, true, "libvirt.org", NULL); + DO_SESS_TEST(cacertreq.filename, servercertalt2req.filename, clientcertreq.filename, + false, false, "www.libvirt.org", NULL); + DO_SESS_TEST(cacertreq.filename, servercertalt2req.filename, clientcertreq.filename, + false, false, "wiki.libvirt.org", NULL); const char *const wildcards1[] = { "C=UK,CN=dogfood", @@ -389,12 +392,18 @@ mymain(void) NULL, }; - DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, true, false, "libvirt.org", wildcards1); - DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards2); - DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards3); - DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, true, false, "libvirt.org", wildcards4); - DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards5); - DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards6); + DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename, + true, false, "libvirt.org", wildcards1); + DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename, + false, false, "libvirt.org", wildcards2); + DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename, + false, false, "libvirt.org", wildcards3); + DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename, + true, false, "libvirt.org", wildcards4); + DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename, + false, false, "libvirt.org", wildcards5); + DO_SESS_TEST(cacertreq.filename, servercertreq.filename, clientcertreq.filename, + false, false, "libvirt.org", wildcards6); testTLSDiscardCert(&clientcertreq); testTLSDiscardCert(&clientcertaltreq); -- 1.8.3.2