LXR qemu/tests/test-io-channel-tls.c

   1/*
   2 * QEMU I/O channel TLS test
   3 *
   4 * Copyright (C) 2015 Red Hat, Inc.
   5 *
   6 * This library is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU Lesser General Public
   8 * License as published by the Free Software Foundation; either
   9 * version 2.1 of the License, or (at your option) any later version.
  10 *
  11 * This library is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 * Lesser General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU Lesser General Public
  17 * License along with this library.  If not, see
  18 * <http://www.gnu.org/licenses/>.
  19 *
  20 * Author: Daniel P. Berrange <berrange@redhat.com>
  21 */
  22
  23
  24#include "qemu/osdep.h"
  25
  26#include "crypto-tls-x509-helpers.h"
  27#include "io/channel-tls.h"
  28#include "io/channel-socket.h"
  29#include "io-channel-helpers.h"
  30#include "crypto/init.h"
  31#include "crypto/tlscredsx509.h"
  32#include "qapi/error.h"
  33#include "qemu/module.h"
  34#include "authz/list.h"
  35#include "qom/object_interfaces.h"
  36
  37#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
  38
  39#define WORKDIR "tests/test-io-channel-tls-work/"
  40#define KEYFILE WORKDIR "key-ctx.pem"
  41
  42struct QIOChannelTLSTestData {
  43    const char *servercacrt;
  44    const char *clientcacrt;
  45    const char *servercrt;
  46    const char *clientcrt;
  47    bool expectServerFail;
  48    bool expectClientFail;
  49    const char *hostname;
  50    const char *const *wildcards;
  51};
  52
  53struct QIOChannelTLSHandshakeData {
  54    bool finished;
  55    bool failed;
  56};
  57
  58static void test_tls_handshake_done(QIOTask *task,
  59                                    gpointer opaque)
  60{
  61    struct QIOChannelTLSHandshakeData *data = opaque;
  62
  63    data->finished = true;
  64    data->failed = qio_task_propagate_error(task, NULL);
  65}
  66
  67
  68static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
  69                                              const char *certdir)
  70{
  71    Object *parent = object_get_objects_root();
  72    Object *creds = object_new_with_props(
  73        TYPE_QCRYPTO_TLS_CREDS_X509,
  74        parent,
  75        (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  76         "testtlscredsserver" : "testtlscredsclient"),
  77        &error_abort,
  78        "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  79                     "server" : "client"),
  80        "dir", certdir,
  81        "verify-peer", "yes",
  82        "priority", "NORMAL",
  83        /* We skip initial sanity checks here because we
  84         * want to make sure that problems are being
  85         * detected at the TLS session validation stage,
  86         * and the test-crypto-tlscreds test already
  87         * validate the sanity check code.
  88         */
  89        "sanity-check", "no",
  90        NULL
  91        );
  92
  93    return QCRYPTO_TLS_CREDS(creds);
  94}
  95
  96
  97/*
  98 * This tests validation checking of peer certificates
  99 *
 100 * This is replicating the checks that are done for an
 101 * active TLS session after handshake completes. To
 102 * simulate that we create our TLS contexts, skipping
 103 * sanity checks. When then get a socketpair, and
 104 * initiate a TLS session across them. Finally do
 105 * do actual cert validation tests
 106 */
 107static void test_io_channel_tls(const void *opaque)
 108{
 109    struct QIOChannelTLSTestData *data =
 110        (struct QIOChannelTLSTestData *)opaque;
 111    QCryptoTLSCreds *clientCreds;
 112    QCryptoTLSCreds *serverCreds;
 113    QIOChannelTLS *clientChanTLS;
 114    QIOChannelTLS *serverChanTLS;
 115    QIOChannelSocket *clientChanSock;
 116    QIOChannelSocket *serverChanSock;
 117    QAuthZList *auth;
 118    const char * const *wildcards;
 119    int channel[2];
 120    struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
 121    struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
 122    QIOChannelTest *test;
 123    GMainContext *mainloop;
 124
 125    /* We'll use this for our fake client-server connection */
 126    g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
 127
 128#define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
 129#define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
 130    mkdir(CLIENT_CERT_DIR, 0700);
 131    mkdir(SERVER_CERT_DIR, 0700);
 132
 133    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 134    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 135    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 136
 137    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 138    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 139    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 140
 141    g_assert(link(data->servercacrt,
 142                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 143    g_assert(link(data->servercrt,
 144                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
 145    g_assert(link(KEYFILE,
 146                  SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
 147
 148    g_assert(link(data->clientcacrt,
 149                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 150    g_assert(link(data->clientcrt,
 151                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
 152    g_assert(link(KEYFILE,
 153                  CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
 154
 155    clientCreds = test_tls_creds_create(
 156        QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
 157        CLIENT_CERT_DIR);
 158    g_assert(clientCreds != NULL);
 159
 160    serverCreds = test_tls_creds_create(
 161        QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
 162        SERVER_CERT_DIR);
 163    g_assert(serverCreds != NULL);
 164
 165    auth = qauthz_list_new("channeltlsacl",
 166                           QAUTHZ_LIST_POLICY_DENY,
 167                           &error_abort);
 168    wildcards = data->wildcards;
 169    while (wildcards && *wildcards) {
 170        qauthz_list_append_rule(auth, *wildcards,
 171                                QAUTHZ_LIST_POLICY_ALLOW,
 172                                QAUTHZ_LIST_FORMAT_GLOB,
 173                                &error_abort);
 174        wildcards++;
 175    }
 176
 177    clientChanSock = qio_channel_socket_new_fd(
 178        channel[0], &error_abort);
 179    g_assert(clientChanSock != NULL);
 180    serverChanSock = qio_channel_socket_new_fd(
 181        channel[1], &error_abort);
 182    g_assert(serverChanSock != NULL);
 183
 184    /*
 185     * We have an evil loop to do the handshake in a single
 186     * thread, so we need these non-blocking to avoid deadlock
 187     * of ourselves
 188     */
 189    qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
 190    qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
 191
 192    /* Now the real part of the test, setup the sessions */
 193    clientChanTLS = qio_channel_tls_new_client(
 194        QIO_CHANNEL(clientChanSock), clientCreds,
 195        data->hostname, &error_abort);
 196    g_assert(clientChanTLS != NULL);
 197
 198    serverChanTLS = qio_channel_tls_new_server(
 199        QIO_CHANNEL(serverChanSock), serverCreds,
 200        "channeltlsacl", &error_abort);
 201    g_assert(serverChanTLS != NULL);
 202
 203    qio_channel_tls_handshake(clientChanTLS,
 204                              test_tls_handshake_done,
 205                              &clientHandshake,
 206                              NULL,
 207                              NULL);
 208    qio_channel_tls_handshake(serverChanTLS,
 209                              test_tls_handshake_done,
 210                              &serverHandshake,
 211                              NULL,
 212                              NULL);
 213
 214    /*
 215     * Finally we loop around & around doing handshake on each
 216     * session until we get an error, or the handshake completes.
 217     * This relies on the socketpair being nonblocking to avoid
 218     * deadlocking ourselves upon handshake
 219     */
 220    mainloop = g_main_context_default();
 221    do {
 222        g_main_context_iteration(mainloop, TRUE);
 223    } while (!clientHandshake.finished ||
 224             !serverHandshake.finished);
 225
 226    g_assert(clientHandshake.failed == data->expectClientFail);
 227    g_assert(serverHandshake.failed == data->expectServerFail);
 228
 229    test = qio_channel_test_new();
 230    qio_channel_test_run_threads(test, false,
 231                                 QIO_CHANNEL(clientChanTLS),
 232                                 QIO_CHANNEL(serverChanTLS));
 233    qio_channel_test_validate(test);
 234
 235    test = qio_channel_test_new();
 236    qio_channel_test_run_threads(test, true,
 237                                 QIO_CHANNEL(clientChanTLS),
 238                                 QIO_CHANNEL(serverChanTLS));
 239    qio_channel_test_validate(test);
 240
 241    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 242    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 243    unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 244
 245    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 246    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 247    unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 248
 249    rmdir(CLIENT_CERT_DIR);
 250    rmdir(SERVER_CERT_DIR);
 251
 252    object_unparent(OBJECT(serverCreds));
 253    object_unparent(OBJECT(clientCreds));
 254
 255    object_unref(OBJECT(serverChanTLS));
 256    object_unref(OBJECT(clientChanTLS));
 257
 258    object_unref(OBJECT(serverChanSock));
 259    object_unref(OBJECT(clientChanSock));
 260
 261    object_unparent(OBJECT(auth));
 262
 263    close(channel[0]);
 264    close(channel[1]);
 265}
 266
 267
 268int main(int argc, char **argv)
 269{
 270    int ret;
 271
 272    g_assert(qcrypto_init(NULL) == 0);
 273
 274    module_call_init(MODULE_INIT_QOM);
 275    g_test_init(&argc, &argv, NULL);
 276    setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
 277
 278    mkdir(WORKDIR, 0700);
 279
 280    test_tls_init(KEYFILE);
 281
 282# define TEST_CHANNEL(name, caCrt,                                      \
 283                      serverCrt, clientCrt,                             \
 284                      expectServerFail, expectClientFail,               \
 285                      hostname, wildcards)                              \
 286    struct QIOChannelTLSTestData name = {                               \
 287        caCrt, caCrt, serverCrt, clientCrt,                             \
 288        expectServerFail, expectClientFail,                             \
 289        hostname, wildcards                                             \
 290    };                                                                  \
 291    g_test_add_data_func("/qio/channel/tls/" # name,                    \
 292                         &name, test_io_channel_tls);
 293
 294    /* A perfect CA, perfect client & perfect server */
 295
 296    /* Basic:CA:critical */
 297    TLS_ROOT_REQ(cacertreq,
 298                 "UK", "qemu CA", NULL, NULL, NULL, NULL,
 299                 true, true, true,
 300                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 301                 false, false, NULL, NULL,
 302                 0, 0);
 303    TLS_CERT_REQ(servercertreq, cacertreq,
 304                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 305                 true, true, false,
 306                 true, true,
 307                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 308                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 309                 0, 0);
 310    TLS_CERT_REQ(clientcertreq, cacertreq,
 311                 "UK", "qemu", NULL, NULL, NULL, NULL,
 312                 true, true, false,
 313                 true, true,
 314                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 315                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 316                 0, 0);
 317
 318    const char *const wildcards[] = {
 319        "C=UK,CN=qemu*",
 320        NULL,
 321    };
 322    TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
 323                 clientcertreq.filename, false, false,
 324                 "qemu.org", wildcards);
 325
 326    ret = g_test_run();
 327
 328    test_tls_discard_cert(&clientcertreq);
 329    test_tls_discard_cert(&servercertreq);
 330    test_tls_discard_cert(&cacertreq);
 331
 332    test_tls_cleanup(KEYFILE);
 333    rmdir(WORKDIR);
 334
 335    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 336}
 337
 338#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 339
 340int
 341main(void)
 342{
 343    return EXIT_SUCCESS;
 344}
 345
 346#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 347