qemu/tests/test-io-channel-tls.c

   1 /*
   2  * QEMU I/O channel TLS test
   3  *
   4  * Copyright (C) 2015 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library.  If not, see
  18  * <http://www.gnu.org/licenses/>.
  19  *
  20  * Author: Daniel P. Berrange <berrange@redhat.com>
  21  */
  22
  23
  24 #include "qemu/osdep.h"
  25
  26 #include "crypto-tls-x509-helpers.h"
  27 #include "io/channel-tls.h"
  28 #include "io/channel-socket.h"
  29 #include "io-channel-helpers.h"
  30 #include "crypto/tlscredsx509.h"
  31 #include "qemu/acl.h"
  32 #include "qom/object_interfaces.h"
  33
  34 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
  35
  36 #define WORKDIR "tests/test-io-channel-tls-work/"
  37 #define KEYFILE WORKDIR "key-ctx.pem"
  38
  39 struct QIOChannelTLSTestData {
  40     const char *servercacrt;
  41     const char *clientcacrt;
  42     const char *servercrt;
  43     const char *clientcrt;
  44     bool expectServerFail;
  45     bool expectClientFail;
  46     const char *hostname;
  47     const char *const *wildcards;
  48 };
  49
  50 struct QIOChannelTLSHandshakeData {
  51     bool finished;
  52     bool failed;
  53 };
  54
  55 static void test_tls_handshake_done(Object *source,
  56                                     Error *err,
  57                                     gpointer opaque)
  58 {
  59     struct QIOChannelTLSHandshakeData *data = opaque;
  60
  61     data->finished = true;
  62     data->failed = err != NULL;
  63 }
  64
  65
  66 static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
  67                                               const char *certdir,
  68                                               Error **errp)
  69 {
  70     Object *parent = object_get_objects_root();
  71     Object *creds = object_new_with_props(
  72         TYPE_QCRYPTO_TLS_CREDS_X509,
  73         parent,
  74         (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  75          "testtlscredsserver" : "testtlscredsclient"),
  76         errp,
  77         "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  78                      "server" : "client"),
  79         "dir", certdir,
  80         "verify-peer", "yes",
  81         /* We skip initial sanity checks here because we
  82          * want to make sure that problems are being
  83          * detected at the TLS session validation stage,
  84          * and the test-crypto-tlscreds test already
  85          * validate the sanity check code.
  86          */
  87         "sanity-check", "no",
  88         NULL
  89         );
  90
  91     if (*errp) {
  92         return NULL;
  93     }
  94     return QCRYPTO_TLS_CREDS(creds);
  95 }
  96
  97
  98 /*
  99  * This tests validation checking of peer certificates
 100  *
 101  * This is replicating the checks that are done for an
 102  * active TLS session after handshake completes. To
 103  * simulate that we create our TLS contexts, skipping
 104  * sanity checks. When then get a socketpair, and
 105  * initiate a TLS session across them. Finally do
 106  * do actual cert validation tests
 107  */
 108 static void test_io_channel_tls(const void *opaque)
 109 {
 110     struct QIOChannelTLSTestData *data =
 111         (struct QIOChannelTLSTestData *)opaque;
 112     QCryptoTLSCreds *clientCreds;
 113     QCryptoTLSCreds *serverCreds;
 114     QIOChannelTLS *clientChanTLS;
 115     QIOChannelTLS *serverChanTLS;
 116     QIOChannelSocket *clientChanSock;
 117     QIOChannelSocket *serverChanSock;
 118     qemu_acl *acl;
 119     const char * const *wildcards;
 120     int channel[2];
 121     struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
 122     struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
 123     Error *err = NULL;
 124     QIOChannelTest *test;
 125     GMainContext *mainloop;
 126
 127     /* We'll use this for our fake client-server connection */
 128     g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
 129
 130 #define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
 131 #define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
 132     mkdir(CLIENT_CERT_DIR, 0700);
 133     mkdir(SERVER_CERT_DIR, 0700);
 134
 135     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 136     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 137     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 138
 139     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 140     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 141     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 142
 143     g_assert(link(data->servercacrt,
 144                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 145     g_assert(link(data->servercrt,
 146                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
 147     g_assert(link(KEYFILE,
 148                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
 149
 150     g_assert(link(data->clientcacrt,
 151                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 152     g_assert(link(data->clientcrt,
 153                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
 154     g_assert(link(KEYFILE,
 155                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
 156
 157     clientCreds = test_tls_creds_create(
 158         QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
 159         CLIENT_CERT_DIR,
 160         &err);
 161     g_assert(clientCreds != NULL);
 162
 163     serverCreds = test_tls_creds_create(
 164         QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
 165         SERVER_CERT_DIR,
 166         &err);
 167     g_assert(serverCreds != NULL);
 168
 169     acl = qemu_acl_init("channeltlsacl");
 170     qemu_acl_reset(acl);
 171     wildcards = data->wildcards;
 172     while (wildcards && *wildcards) {
 173         qemu_acl_append(acl, 0, *wildcards);
 174         wildcards++;
 175     }
 176
 177     clientChanSock = qio_channel_socket_new_fd(
 178         channel[0], &err);
 179     g_assert(clientChanSock != NULL);
 180     serverChanSock = qio_channel_socket_new_fd(
 181         channel[1], &err);
 182     g_assert(serverChanSock != NULL);
 183
 184     /*
 185      * We have an evil loop to do the handshake in a single
 186      * thread, so we need these non-blocking to avoid deadlock
 187      * of ourselves
 188      */
 189     qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
 190     qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
 191
 192     /* Now the real part of the test, setup the sessions */
 193     clientChanTLS = qio_channel_tls_new_client(
 194         QIO_CHANNEL(clientChanSock), clientCreds,
 195         data->hostname, &err);
 196     g_assert(clientChanTLS != NULL);
 197
 198     serverChanTLS = qio_channel_tls_new_server(
 199         QIO_CHANNEL(serverChanSock), serverCreds,
 200         "channeltlsacl", &err);
 201     g_assert(serverChanTLS != NULL);
 202
 203     qio_channel_tls_handshake(clientChanTLS,
 204                               test_tls_handshake_done,
 205                               &clientHandshake,
 206                               NULL);
 207     qio_channel_tls_handshake(serverChanTLS,
 208                               test_tls_handshake_done,
 209                               &serverHandshake,
 210                               NULL);
 211
 212     /*
 213      * Finally we loop around & around doing handshake on each
 214      * session until we get an error, or the handshake completes.
 215      * This relies on the socketpair being nonblocking to avoid
 216      * deadlocking ourselves upon handshake
 217      */
 218     mainloop = g_main_context_default();
 219     do {
 220         g_main_context_iteration(mainloop, TRUE);
 221     } while (!clientHandshake.finished &&
 222              !serverHandshake.finished);
 223
 224     g_assert(clientHandshake.failed == data->expectClientFail);
 225     g_assert(serverHandshake.failed == data->expectServerFail);
 226
 227     test = qio_channel_test_new();
 228     qio_channel_test_run_threads(test, false,
 229                                  QIO_CHANNEL(clientChanTLS),
 230                                  QIO_CHANNEL(serverChanTLS));
 231     qio_channel_test_validate(test);
 232
 233     test = qio_channel_test_new();
 234     qio_channel_test_run_threads(test, true,
 235                                  QIO_CHANNEL(clientChanTLS),
 236                                  QIO_CHANNEL(serverChanTLS));
 237     qio_channel_test_validate(test);
 238
 239     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 240     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 241     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 242
 243     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 244     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 245     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 246
 247     rmdir(CLIENT_CERT_DIR);
 248     rmdir(SERVER_CERT_DIR);
 249
 250     object_unparent(OBJECT(serverCreds));
 251     object_unparent(OBJECT(clientCreds));
 252
 253     object_unref(OBJECT(serverChanTLS));
 254     object_unref(OBJECT(clientChanTLS));
 255
 256     object_unref(OBJECT(serverChanSock));
 257     object_unref(OBJECT(clientChanSock));
 258
 259     close(channel[0]);
 260     close(channel[1]);
 261 }
 262
 263
 264 int main(int argc, char **argv)
 265 {
 266     int ret;
 267
 268     module_call_init(MODULE_INIT_QOM);
 269     g_test_init(&argc, &argv, NULL);
 270     setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
 271
 272     mkdir(WORKDIR, 0700);
 273
 274     test_tls_init(KEYFILE);
 275
 276 # define TEST_CHANNEL(name, caCrt,                                      \
 277                       serverCrt, clientCrt,                             \
 278                       expectServerFail, expectClientFail,               \
 279                       hostname, wildcards)                              \
 280     struct QIOChannelTLSTestData name = {                               \
 281         caCrt, caCrt, serverCrt, clientCrt,                             \
 282         expectServerFail, expectClientFail,                             \
 283         hostname, wildcards                                             \
 284     };                                                                  \
 285     g_test_add_data_func("/qio/channel/tls/" # name,                    \
 286                          &name, test_io_channel_tls);
 287
 288     /* A perfect CA, perfect client & perfect server */
 289
 290     /* Basic:CA:critical */
 291     TLS_ROOT_REQ(cacertreq,
 292                  "UK", "qemu CA", NULL, NULL, NULL, NULL,
 293                  true, true, true,
 294                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 295                  false, false, NULL, NULL,
 296                  0, 0);
 297     TLS_CERT_REQ(servercertreq, cacertreq,
 298                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
 299                  true, true, false,
 300                  true, true,
 301                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 302                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 303                  0, 0);
 304     TLS_CERT_REQ(clientcertreq, cacertreq,
 305                  "UK", "qemu", NULL, NULL, NULL, NULL,
 306                  true, true, false,
 307                  true, true,
 308                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 309                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 310                  0, 0);
 311
 312     const char *const wildcards[] = {
 313         "C=UK,CN=qemu*",
 314         NULL,
 315     };
 316     TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
 317                  clientcertreq.filename, false, false,
 318                  "qemu.org", wildcards);
 319
 320     ret = g_test_run();
 321
 322     test_tls_discard_cert(&clientcertreq);
 323     test_tls_discard_cert(&servercertreq);
 324     test_tls_discard_cert(&cacertreq);
 325
 326     test_tls_cleanup(KEYFILE);
 327     rmdir(WORKDIR);
 328
 329     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 330 }
 331
 332 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 333
 334 int
 335 main(void)
 336 {
 337     return EXIT_SUCCESS;
 338 }
 339
 340 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */