Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt
提交 90811c59 编写于 作者: D Daniel P. Berrange
浏览文件
操作

Avoid re-generating certs every time 

Currently every test case in the TLS test suite generates the
certs fresh. This is a waste of time, since its parameters
don't change across test cases. Create certs once in main
method.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 236da82d
展开全部 隐藏空白更改
内联 并排
Showing with 445 addition and 390 deletion
tests/virnettlscontexttest.c
浏览文件 @ 90811c59
此差异已折叠。
tests/virnettlshelpers.c
浏览文件 @ 90811c59
......@@ -152,7 +152,8 @@ static void testTLSDerEncode(ASN1_TYPE src,
* TLS certificate code
*/
void
testTLSGenerateCert(struct testTLSCertReq *req)
testTLSGenerateCert(struct testTLSCertReq *req,
gnutls_x509_crt_t ca)
{
gnutls_x509_crt_t crt;
int err;
......@@ -379,10 +380,10 @@ testTLSGenerateCert(struct testTLSCertReq *req)
/*
* If no 'cart' is set then we are self signing
* the cert. This is done for CA certs
* If no 'ca' is set then we are self signing
* the cert. This is done for the root CA certs
*/
if ((err = gnutls_x509_crt_sign(crt, req->cacrt ? req->cacrt : crt, privkey) < 0)) {
if ((err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey) < 0)) {
VIR_WARN("Failed to sign certificate %s", gnutls_strerror(err));
abort();
}
......
tests/virnettlshelpers.h
浏览文件 @ 90811c59
......@@ -36,7 +36,6 @@ extern const char *keyfile;
*/
struct testTLSCertReq {
gnutls_x509_crt_t crt;
gnutls_x509_crt_t cacrt; /* If not set, then the cert will be self-signed */
const char *filename;
......@@ -70,7 +69,8 @@ struct testTLSCertReq {
int expire_offset;
};
void testTLSGenerateCert(struct testTLSCertReq *req);
void testTLSGenerateCert(struct testTLSCertReq *req,
gnutls_x509_crt_t ca);
void testTLSDiscardCert(struct testTLSCertReq *req);
void testTLSInit(void);
......
tests/virnettlssessiontest.c
浏览文件 @ 90811c59
......@@ -100,20 +100,6 @@ static int testTLSSessionInit(const void *opaque)
ignore_value(virSetNonBlock(channel[1]));
/* Generate all the certs we need for this test */
testTLSGenerateCert(&data->careq);
data->serverreq.cacrt = data->careq.crt;
testTLSGenerateCert(&data->serverreq);
if (data->othercareq.filename) {
testTLSGenerateCert(&data->othercareq);
data->clientreq.cacrt = data->othercareq.crt;
} else {
data->clientreq.cacrt = data->careq.crt;
}
testTLSGenerateCert(&data->clientreq);
/* We skip initial sanity checks here because we
* want to make sure that problems are being
* detected at the TLS session validation stage
......@@ -243,12 +229,6 @@ cleanup:
virObjectUnref(serverSess);
virObjectUnref(clientSess);
testTLSDiscardCert(&data->careq);
if (data->othercareq.filename)
testTLSDiscardCert(&data->othercareq);
testTLSDiscardCert(&data->clientreq);
testTLSDiscardCert(&data->serverreq);
VIR_FORCE_CLOSE(channel[0]);
VIR_FORCE_CLOSE(channel[1]);
return ret;
......@@ -275,7 +255,8 @@ mymain(void)
data.expectClientFail = _expectClientFail; \
data.hostname = _hostname; \
data.wildcards = _wildcards; \
if (virtTestRun("TLS Session", 1, testTLSSessionInit, &data) < 0) \
if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
1, testTLSSessionInit, &data) < 0) \
ret = -1; \
} while (0)
......@@ -292,68 +273,87 @@ mymain(void)
data.expectClientFail = _expectClientFail; \
data.hostname = _hostname; \
data.wildcards = _wildcards; \
if (virtTestRun("TLS Session", 1, testTLSSessionInit, &data) < 0) \
if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
1, testTLSSessionInit, &data) < 0) \
ret = -1; \
} while (0)
# define TLS_CERT_REQ(varname, cavarname, \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
NULL, #varname ".pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
}; \
testTLSGenerateCert(&varname, cavarname.crt)
# define TLS_ROOT_REQ(varname, \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
NULL, #varname ".pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
}; \
testTLSGenerateCert(&varname, NULL)
/* A perfect CA, perfect client & perfect server */
/* Basic:CA:critical */
static struct testTLSCertReq cacertreq = {
NULL, NULL, "cacert.pem", "UK",
"libvirt CA", NULL, NULL, NULL, NULL,
true, true, true,
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL,
0, 0,
};
static struct testTLSCertReq cacert1req = {
NULL, NULL, "cacert1.pem", "UK",
"libvirt CA 1", NULL, NULL, NULL, NULL,
true, true, true,
false, false, 0,
false, false, NULL, NULL,
0, 0,
};
static struct testTLSCertReq servercertreq = {
NULL, NULL, "servercert.pem", "UK",
"libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0,
};
static struct testTLSCertReq clientcertreq = {
NULL, NULL, "clientcert.pem", "UK",
"libvirt", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0,
};
TLS_ROOT_REQ(cacertreq,
"UK", "libvirt CA", NULL, NULL, NULL, NULL,
true, true, true,
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL,
0, 0);
TLS_ROOT_REQ(altcacertreq,
"UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
true, true, true,
false, false, 0,
false, false, NULL, NULL,
0, 0);
TLS_CERT_REQ(servercertreq, cacertreq,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(clientcertreq, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
TLS_CERT_REQ(clientcertaltreq, altcacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", NULL);
DO_SESS_TEST_EXT(cacertreq, cacert1req, servercertreq, clientcertreq, true, true, "libvirt.org", NULL);
DO_SESS_TEST_EXT(cacertreq, altcacertreq, servercertreq, clientcertaltreq, true, true, "libvirt.org", NULL);
/* When an altname is set, the CN is ignored, so it must be duplicated
* as an altname for it to match */
static struct testTLSCertReq servercertalt1req = {
NULL, NULL, "servercert.pem", "UK",
"libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0,
};
TLS_CERT_REQ(servercertalt1req, cacertreq,
"UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* This intentionally doesn't replicate */
static struct testTLSCertReq servercertalt2req = {
NULL, NULL, "servercert.pem", "UK",
"libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0,
};
TLS_CERT_REQ(servercertalt2req, cacertreq,
"UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "libvirt.org", NULL);
DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "www.libvirt.org", NULL);
......@@ -396,6 +396,16 @@ mymain(void)
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards5);
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards6);
testTLSDiscardCert(&clientcertreq);
testTLSDiscardCert(&clientcertaltreq);
testTLSDiscardCert(&servercertreq);
testTLSDiscardCert(&servercertalt1req);
testTLSDiscardCert(&servercertalt2req);
testTLSDiscardCert(&cacertreq);
testTLSDiscardCert(&altcacertreq);
testTLSCleanup();
return ret==0 ? EXIT_SUCCESS : EXIT_FAILURE;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册