mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9a2fd4347c
qemu/tests
History
Daniel P. Berrange 9a2fd4347c crypto: add sanity checking of TLS x509 credentials 
If the administrator incorrectly sets up their x509 certificates,
the errors seen at runtime during connection attempts are very
obscure and difficult to diagnose. This has been a particular
problem for people using openssl to generate their certificates
instead of the gnutls certtool, because the openssl tools don't
turn on the various x509 extensions that gnutls expects to be
present by default.

This change thus adds support in the TLS credentials object to
sanity check the certificates when QEMU first loads them. This
gives the administrator immediate feedback for the majority of
common configuration mistakes, reducing the pain involved in
setting up TLS. The code is derived from equivalent code that
has been part of libvirt's TLS support and has been seen to be
valuable in assisting admins.

It is possible to disable the sanity checking, however, via
the new 'sanity-check' property on the tls-creds object type,
with a value of 'no'.

Unit tests are included in this change to verify the correctness
of the sanity checking code in all the key scenarios it is
intended to cope with. As part of the test suite, the pkix_asn1_tab.c
from gnutls is imported. This file is intentionally copied from the
(long since obsolete) gnutls 1.6.3 source tree, since that version
was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-09-15 15:05:09 +01:00
..
acpi-test-data acpi: update expected files for memory unplug 2015-05-11 09:21:37 +02:00
image-fuzzer typofixes - v4 2015-09-11 10:45:43 +03:00
libqos i.MX: Add qtest support for I2C device emulator. 2015-09-07 10:39:31 +01:00
multiboot tests/multiboot: Add test for modules 2015-01-26 12:22:44 +01:00
qapi-schema qapi: allow override of default enum prefix naming 2015-09-15 10:59:28 +01:00
qemu-iotests iotests: Add test for checking large image files 2015-09-14 16:51:37 +02:00
rocker rocker: tests: don't need to specify master/self when setting vlans 2015-07-07 13:13:22 +01:00
tcg maint: remove unused include for signal.h 2015-09-11 10:21:38 +03:00
vmstate-static-checker-data
.gitignore crypto: add sanity checking of TLS x509 credentials 2015-09-15 15:05:09 +01:00
ac97-test.c
ahci-test.c qtest/ahci: halted ncq migration test 2015-07-04 02:06:05 -04:00
bios-tables-test.c maint: avoid useless "if (foo) free(foo)" pattern 2015-09-11 10:21:38 +03:00
boot-order-test.c
check-block.sh
check-qdict.c check-qdict: Test cases for new functions 2015-06-12 16:58:06 +02:00
check-qfloat.c
check-qint.c
check-qjson.c qobject: Use 'bool' for qbool 2015-06-22 17:40:00 +02:00
check-qlist.c
check-qom-interface.c
check-qom-proplist.c qom: Don't pass string table to object_get_enum() function 2015-06-19 18:42:48 +02:00
check-qstring.c
crypto-tls-x509-helpers.c crypto: add sanity checking of TLS x509 credentials 2015-09-15 15:05:09 +01:00
crypto-tls-x509-helpers.h crypto: add sanity checking of TLS x509 credentials 2015-09-15 15:05:09 +01:00
display-vga-test.c virtio-gpu: add to display-vga test 2015-07-07 11:23:18 +02:00
drive_del-test.c
ds1338-test.c i.MX: Add qtest support for I2C device emulator. 2015-09-07 10:39:31 +01:00
e1000-test.c tests: Use qtest_add_data_func() consistently 2015-06-19 10:29:14 +02:00
eepro100-test.c tests: Use qtest_add_data_func() consistently 2015-06-19 10:29:14 +02:00
endianness-test.c tests: Use qtest_add_data_func() consistently 2015-06-19 10:29:14 +02:00
es1370-test.c
fdc-test.c fdc-test: Test state for existing cases more thoroughly 2015-06-02 13:34:45 -04:00
fw_cfg-test.c fw_cfg-test: Fix test path to include architecture 2015-03-30 19:19:42 +02:00
hd-geo-test.c
i440fx-test.c i440fx-test: Fix test paths to include architecture 2015-03-30 19:24:54 +02:00
i82801b11-test.c
ide-test.c qtest/ide: add another short PRDT test flavor 2015-07-20 12:21:18 -04:00
intel-hda-test.c
ioh3420-test.c
ipoctal232-test.c
libqtest.c qtest: pre-buffer hex nibs 2015-05-22 15:58:22 -04:00
libqtest.h qtest: Add base64 encoded read/write 2015-05-22 15:58:22 -04:00
m48t59-test.c
Makefile crypto: add sanity checking of TLS x509 credentials 2015-09-15 15:05:09 +01:00
ne2000-test.c
nvme-test.c
pc-cpu-test.c tests: Use qtest_add_data_func() consistently 2015-06-19 10:29:14 +02:00
pcnet-test.c
pkix_asn1_tab.c crypto: add sanity checking of TLS x509 credentials 2015-09-15 15:05:09 +01:00
pvpanic-test.c
q35-test.c q35: add test for SMRAM.D_LCK 2015-06-05 19:45:09 +02:00
qemu-iotests-quick.sh
qom-test.c tests: Use qtest_add_data_func() consistently 2015-06-19 10:29:14 +02:00
rcutorture.c rcu tests: fix compilation on 32-bit ppc 2015-03-25 13:37:10 +01:00
rtc-test.c
rtl8139-test.c timer: rename NSEC_PER_SEC due to Mac OS X header clash 2015-07-20 17:01:00 +01:00
spapr-phb-test.c
tco-test.c tco-test: fix up config accesses and re-enable 2015-07-08 12:38:30 +03:00
test-aio.c AioContext: fix broken ctx->dispatching optimization 2015-07-22 12:41:40 +01:00
test-bitops.c
test-coroutine.c test-coroutine: Regression test for yield bug 2015-03-09 11:11:59 +01:00
test-crypto-cipher.c crypto: extend unit tests to cover decryption too 2015-07-27 12:22:01 +02:00
test-crypto-hash.c crypto: introduce new module for computing hash digests 2015-07-07 12:04:07 +02:00
test-crypto-tlscredsx509.c crypto: add sanity checking of TLS x509 credentials 2015-09-15 15:05:09 +01:00
test-cutils.c cutils: work around platform differences in strto{l,ul,ll,ull} 2015-09-10 10:02:00 +02:00
test-hbitmap.c maint: avoid useless "if (foo) free(foo)" pattern 2015-09-11 10:21:38 +03:00
test-int128.c
test-iov.c
test-mul64.c
test-opts-visitor.c QemuOpts: Wean off qerror_report_err() 2015-06-22 18:20:39 +02:00
test-qdev-global-props.c
test-qemu-opts.c QemuOpts: Wean off qerror_report_err() 2015-06-22 18:20:39 +02:00
test-qmp-commands.c qapi: Support downstream events and commands 2015-05-14 18:21:27 +02:00
test-qmp-event.c qapi-event: Clean up how name of enum QAPIEvent is made 2015-09-04 15:47:13 +02:00
test-qmp-input-strict.c qapi: Merge UserDefTwo and UserDefNested in tests 2015-05-05 18:39:02 +02:00
test-qmp-input-visitor.c qapi: Document that input visitor semantics are prone to leaks 2015-09-04 15:47:14 +02:00
test-qmp-output-visitor.c qapi: Fix generated code when flat union has member 'kind' 2015-09-04 15:47:13 +02:00
test-rcu-list.c rcu: actually register threads that have RCU read-side critical sections 2015-07-24 13:57:45 +02:00
test-rfifolock.c
test-string-input-visitor.c
test-string-output-visitor.c
test-thread-pool.c
test-throttle.c throttle: add throttle_max_is_missing_limit() test 2015-08-05 12:53:48 +01:00
test-visitor-serialization.c qapi: Drop tests for inline nested structs 2015-05-05 18:39:02 +02:00
test-vmstate.c migration: Append JSON description of migration stream 2015-02-05 17:16:14 +01:00
test-write-threshold.c block: add event when disk usage exceeds threshold 2015-02-06 17:24:21 +01:00
test-x86-cpuid.c target-i386: Move topology.h to include/hw/i386 2015-03-09 16:30:02 -03:00
test-xbzrle.c maint: remove unused include for strings.h 2015-09-11 10:21:38 +03:00
tmp105-test.c
tpci200-test.c
usb-hcd-ehci-test.c
usb-hcd-ohci-test.c misc: fix typos in copyright declaration 2015-03-26 14:21:43 +01:00
usb-hcd-uhci-test.c misc: fix typos in copyright declaration 2015-03-26 14:21:43 +01:00
usb-hcd-xhci-test.c misc: fix typos in copyright declaration 2015-03-26 14:21:43 +01:00
vhost-user-test.c
virtio-9p-test.c
virtio-balloon-test.c
virtio-blk-test.c tests: Check QVIRTIO_F_ANY_LAYOUT flag in virtio-blk test 2015-03-10 14:02:23 +01:00
virtio-console-test.c
virtio-net-test.c tests: test rx recovery from cont 2015-08-04 09:41:28 +01:00
virtio-rng-test.c
virtio-scsi-test.c virtio-scsi-test: Add test case for tail unaligned WRITE SAME 2015-07-30 15:44:49 +02:00
virtio-serial-test.c
vmxnet3-test.c
wdt_ib700-test.c timer: rename NSEC_PER_SEC due to Mac OS X header clash 2015-07-20 17:01:00 +01:00