tests/test-io-channel-tls.c

   1 /*
   2  * QEMU I/O channel TLS test
   3  *
   4  * Copyright (C) 2015 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library.  If not, see
  18  * <http://www.gnu.org/licenses/>.
  19  *
  20  * Author: Daniel P. Berrange <[email protected]>
  21  */
  22
  23
  24 #include "qemu/osdep.h"
  25
  26 #include "crypto-tls-x509-helpers.h"
  27 #include "io/channel-tls.h"
  28 #include "io/channel-socket.h"
  29 #include "io-channel-helpers.h"
  30 #include "crypto/init.h"
  31 #include "crypto/tlscredsx509.h"
  32 #include "qapi/error.h"
  33 #include "authz/list.h"
  34 #include "qom/object_interfaces.h"
  35
  36 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
  37
  38 #define WORKDIR "tests/test-io-channel-tls-work/"
  39 #define KEYFILE WORKDIR "key-ctx.pem"
  40
  41 struct QIOChannelTLSTestData {
  42     const char *servercacrt;
  43     const char *clientcacrt;
  44     const char *servercrt;
  45     const char *clientcrt;
  46     bool expectServerFail;
  47     bool expectClientFail;
  48     const char *hostname;
  49     const char *const *wildcards;
  50 };
  51
  52 struct QIOChannelTLSHandshakeData {
  53     bool finished;
  54     bool failed;
  55 };
  56
  57 static void test_tls_handshake_done(QIOTask *task,
  58                                     gpointer opaque)
  59 {
  60     struct QIOChannelTLSHandshakeData *data = opaque;
  61
  62     data->finished = true;
  63     data->failed = qio_task_propagate_error(task, NULL);
  64 }
  65
  66
  67 static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
  68                                               const char *certdir)
  69 {
  70     Object *parent = object_get_objects_root();
  71     Object *creds = object_new_with_props(
  72         TYPE_QCRYPTO_TLS_CREDS_X509,
  73         parent,
  74         (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  75          "testtlscredsserver" : "testtlscredsclient"),
  76         &error_abort,
  77         "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  78                      "server" : "client"),
  79         "dir", certdir,
  80         "verify-peer", "yes",
  81         "priority", "NORMAL",
  82         /* We skip initial sanity checks here because we
  83          * want to make sure that problems are being
  84          * detected at the TLS session validation stage,
  85          * and the test-crypto-tlscreds test already
  86          * validate the sanity check code.
  87          */
  88         "sanity-check", "no",
  89         NULL
  90         );
  91
  92     return QCRYPTO_TLS_CREDS(creds);
  93 }
  94
  95
  96 /*
  97  * This tests validation checking of peer certificates
  98  *
  99  * This is replicating the checks that are done for an
 100  * active TLS session after handshake completes. To
 101  * simulate that we create our TLS contexts, skipping
 102  * sanity checks. When then get a socketpair, and
 103  * initiate a TLS session across them. Finally do
 104  * do actual cert validation tests
 105  */
 106 static void test_io_channel_tls(const void *opaque)
 107 {
 108     struct QIOChannelTLSTestData *data =
 109         (struct QIOChannelTLSTestData *)opaque;
 110     QCryptoTLSCreds *clientCreds;
 111     QCryptoTLSCreds *serverCreds;
 112     QIOChannelTLS *clientChanTLS;
 113     QIOChannelTLS *serverChanTLS;
 114     QIOChannelSocket *clientChanSock;
 115     QIOChannelSocket *serverChanSock;
 116     QAuthZList *auth;
 117     const char * const *wildcards;
 118     int channel[2];
 119     struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
 120     struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
 121     QIOChannelTest *test;
 122     GMainContext *mainloop;
 123
 124     /* We'll use this for our fake client-server connection */
 125     g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
 126
 127 #define CLIENT_CERT_DIR "tests/test-io-channel-tls-client/"
 128 #define SERVER_CERT_DIR "tests/test-io-channel-tls-server/"
 129     mkdir(CLIENT_CERT_DIR, 0700);
 130     mkdir(SERVER_CERT_DIR, 0700);
 131
 132     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 133     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 134     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 135
 136     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 137     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 138     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 139
 140     g_assert(link(data->servercacrt,
 141                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 142     g_assert(link(data->servercrt,
 143                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
 144     g_assert(link(KEYFILE,
 145                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
 146
 147     g_assert(link(data->clientcacrt,
 148                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 149     g_assert(link(data->clientcrt,
 150                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
 151     g_assert(link(KEYFILE,
 152                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
 153
 154     clientCreds = test_tls_creds_create(
 155         QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
 156         CLIENT_CERT_DIR);
 157     g_assert(clientCreds != NULL);
 158
 159     serverCreds = test_tls_creds_create(
 160         QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
 161         SERVER_CERT_DIR);
 162     g_assert(serverCreds != NULL);
 163
 164     auth = qauthz_list_new("channeltlsacl",
 165                            QAUTHZ_LIST_POLICY_DENY,
 166                            &error_abort);
 167     wildcards = data->wildcards;
 168     while (wildcards && *wildcards) {
 169         qauthz_list_append_rule(auth, *wildcards,
 170                                 QAUTHZ_LIST_POLICY_ALLOW,
 171                                 QAUTHZ_LIST_FORMAT_GLOB,
 172                                 &error_abort);
 173         wildcards++;
 174     }
 175
 176     clientChanSock = qio_channel_socket_new_fd(
 177         channel[0], &error_abort);
 178     g_assert(clientChanSock != NULL);
 179     serverChanSock = qio_channel_socket_new_fd(
 180         channel[1], &error_abort);
 181     g_assert(serverChanSock != NULL);
 182
 183     /*
 184      * We have an evil loop to do the handshake in a single
 185      * thread, so we need these non-blocking to avoid deadlock
 186      * of ourselves
 187      */
 188     qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
 189     qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
 190
 191     /* Now the real part of the test, setup the sessions */
 192     clientChanTLS = qio_channel_tls_new_client(
 193         QIO_CHANNEL(clientChanSock), clientCreds,
 194         data->hostname, &error_abort);
 195     g_assert(clientChanTLS != NULL);
 196
 197     serverChanTLS = qio_channel_tls_new_server(
 198         QIO_CHANNEL(serverChanSock), serverCreds,
 199         "channeltlsacl", &error_abort);
 200     g_assert(serverChanTLS != NULL);
 201
 202     qio_channel_tls_handshake(clientChanTLS,
 203                               test_tls_handshake_done,
 204                               &clientHandshake,
 205                               NULL,
 206                               NULL);
 207     qio_channel_tls_handshake(serverChanTLS,
 208                               test_tls_handshake_done,
 209                               &serverHandshake,
 210                               NULL,
 211                               NULL);
 212
 213     /*
 214      * Finally we loop around & around doing handshake on each
 215      * session until we get an error, or the handshake completes.
 216      * This relies on the socketpair being nonblocking to avoid
 217      * deadlocking ourselves upon handshake
 218      */
 219     mainloop = g_main_context_default();
 220     do {
 221         g_main_context_iteration(mainloop, TRUE);
 222     } while (!clientHandshake.finished ||
 223              !serverHandshake.finished);
 224
 225     g_assert(clientHandshake.failed == data->expectClientFail);
 226     g_assert(serverHandshake.failed == data->expectServerFail);
 227
 228     test = qio_channel_test_new();
 229     qio_channel_test_run_threads(test, false,
 230                                  QIO_CHANNEL(clientChanTLS),
 231                                  QIO_CHANNEL(serverChanTLS));
 232     qio_channel_test_validate(test);
 233
 234     test = qio_channel_test_new();
 235     qio_channel_test_run_threads(test, true,
 236                                  QIO_CHANNEL(clientChanTLS),
 237                                  QIO_CHANNEL(serverChanTLS));
 238     qio_channel_test_validate(test);
 239
 240     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 241     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 242     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 243
 244     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 245     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 246     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 247
 248     rmdir(CLIENT_CERT_DIR);
 249     rmdir(SERVER_CERT_DIR);
 250
 251     object_unparent(OBJECT(serverCreds));
 252     object_unparent(OBJECT(clientCreds));
 253
 254     object_unref(OBJECT(serverChanTLS));
 255     object_unref(OBJECT(clientChanTLS));
 256
 257     object_unref(OBJECT(serverChanSock));
 258     object_unref(OBJECT(clientChanSock));
 259
 260     object_unparent(OBJECT(auth));
 261
 262     close(channel[0]);
 263     close(channel[1]);
 264 }
 265
 266
 267 int main(int argc, char **argv)
 268 {
 269     int ret;
 270
 271     g_assert(qcrypto_init(NULL) == 0);
 272
 273     module_call_init(MODULE_INIT_QOM);
 274     g_test_init(&argc, &argv, NULL);
 275     setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
 276
 277     mkdir(WORKDIR, 0700);
 278
 279     test_tls_init(KEYFILE);
 280
 281 # define TEST_CHANNEL(name, caCrt,                                      \
 282                       serverCrt, clientCrt,                             \
 283                       expectServerFail, expectClientFail,               \
 284                       hostname, wildcards)                              \
 285     struct QIOChannelTLSTestData name = {                               \
 286         caCrt, caCrt, serverCrt, clientCrt,                             \
 287         expectServerFail, expectClientFail,                             \
 288         hostname, wildcards                                             \
 289     };                                                                  \
 290     g_test_add_data_func("/qio/channel/tls/" # name,                    \
 291                          &name, test_io_channel_tls);
 292
 293     /* A perfect CA, perfect client & perfect server */
 294
 295     /* Basic:CA:critical */
 296     TLS_ROOT_REQ(cacertreq,
 297                  "UK", "qemu CA", NULL, NULL, NULL, NULL,
 298                  true, true, true,
 299                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 300                  false, false, NULL, NULL,
 301                  0, 0);
 302     TLS_CERT_REQ(servercertreq, cacertreq,
 303                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
 304                  true, true, false,
 305                  true, true,
 306                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 307                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 308                  0, 0);
 309     TLS_CERT_REQ(clientcertreq, cacertreq,
 310                  "UK", "qemu", NULL, NULL, NULL, NULL,
 311                  true, true, false,
 312                  true, true,
 313                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 314                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 315                  0, 0);
 316
 317     const char *const wildcards[] = {
 318         "C=UK,CN=qemu*",
 319         NULL,
 320     };
 321     TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
 322                  clientcertreq.filename, false, false,
 323                  "qemu.org", wildcards);
 324
 325     ret = g_test_run();
 326
 327     test_tls_discard_cert(&clientcertreq);
 328     test_tls_discard_cert(&servercertreq);
 329     test_tls_discard_cert(&cacertreq);
 330
 331     test_tls_cleanup(KEYFILE);
 332     rmdir(WORKDIR);
 333
 334     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 335 }
 336
 337 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 338
 339 int
 340 main(void)
 341 {
 342     return EXIT_SUCCESS;
 343 }
 344
 345 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */