tests/test-io-channel-tls.c

   1 /*
   2  * QEMU I/O channel TLS test
   3  *
   4  * Copyright (C) 2015 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library.  If not, see
  18  * <http://www.gnu.org/licenses/>.
  19  *
  20  * Author: Daniel P. Berrange <[email protected]>
  21  */
  22
  23
  24 #include "qemu/osdep.h"
  25
  26 #include "crypto-tls-x509-helpers.h"
  27 #include "io/channel-tls.h"
  28 #include "io/channel-socket.h"
  29 #include "io-channel-helpers.h"
  30 #include "crypto/init.h"
  31 #include "crypto/tlscredsx509.h"
  32 #include "qemu/acl.h"
  33 #include "qom/object_interfaces.h"
  34
  35 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
  36
  37 #define WORKDIR "tests/test-io-channel-tls-work/"
  38 #define KEYFILE WORKDIR "key-ctx.pem"
  39
  40 struct QIOChannelTLSTestData {
  41     const char *servercacrt;
  42     const char *clientcacrt;
  43     const char *servercrt;
  44     const char *clientcrt;
  45     bool expectServerFail;
  46     bool expectClientFail;
  47     const char *hostname;
  48     const char *const *wildcards;
  49 };
  50
  51 struct QIOChannelTLSHandshakeData {
  52     bool finished;
  53     bool failed;
  54 };
  55
  56 static void test_tls_handshake_done(Object *source,
  57                                     Error *err,
  58                                     gpointer opaque)
  59 {
  60     struct QIOChannelTLSHandshakeData *data = opaque;
  61
  62     data->finished = true;
  63     data->failed = err != NULL;
  64 }
  65
  66
  67 static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
  68                                               const char *certdir,
  69                                               Error **errp)
  70 {
  71     Object *parent = object_get_objects_root();
  72     Object *creds = object_new_with_props(
  73         TYPE_QCRYPTO_TLS_CREDS_X509,
  74         parent,
  75         (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  76          "testtlscredsserver" : "testtlscredsclient"),
  77         errp,
  78         "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  79                      "server" : "client"),
  80         "dir", certdir,
  81         "verify-peer", "yes",
  82         /* We skip initial sanity checks here because we
  83          * want to make sure that problems are being
  84          * detected at the TLS session validation stage,
  85          * and the test-crypto-tlscreds test already
  86          * validate the sanity check code.
  87          */
  88         "sanity-check", "no",
  89         NULL
  90         );
  91
  92     if (*errp) {
  93         return NULL;
  94     }
  95     return QCRYPTO_TLS_CREDS(creds);
  96 }
  97
  98
  99 /*
 100  * This tests validation checking of peer certificates
 101  *
 102  * This is replicating the checks that are done for an
 103  * active TLS session after handshake completes. To
 104  * simulate that we create our TLS contexts, skipping
 105  * sanity checks. When then get a socketpair, and
 106  * initiate a TLS session across them. Finally do
 107  * do actual cert validation tests
 108  */
 109 static void test_io_channel_tls(const void *opaque)
 110 {
 111     struct QIOChannelTLSTestData *data =
 112         (struct QIOChannelTLSTestData *)opaque;
 113     QCryptoTLSCreds *clientCreds;
 114     QCryptoTLSCreds *serverCreds;
 115     QIOChannelTLS *clientChanTLS;
 116     QIOChannelTLS *serverChanTLS;
 117     QIOChannelSocket *clientChanSock;
 118     QIOChannelSocket *serverChanSock;
 119     qemu_acl *acl;
 120     const char * const *wildcards;
 121     int channel[2];
 122     struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
 123     struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
 124     Error *err = NULL;
 125     QIOChannelTest *test;
 126     GMainContext *mainloop;
 127
 128     /* We'll use this for our fake client-server connection */
 129     g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
 130
 131 #define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
 132 #define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
 133     mkdir(CLIENT_CERT_DIR, 0700);
 134     mkdir(SERVER_CERT_DIR, 0700);
 135
 136     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 137     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 138     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 139
 140     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 141     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 142     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 143
 144     g_assert(link(data->servercacrt,
 145                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 146     g_assert(link(data->servercrt,
 147                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
 148     g_assert(link(KEYFILE,
 149                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
 150
 151     g_assert(link(data->clientcacrt,
 152                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 153     g_assert(link(data->clientcrt,
 154                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
 155     g_assert(link(KEYFILE,
 156                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
 157
 158     clientCreds = test_tls_creds_create(
 159         QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
 160         CLIENT_CERT_DIR,
 161         &err);
 162     g_assert(clientCreds != NULL);
 163
 164     serverCreds = test_tls_creds_create(
 165         QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
 166         SERVER_CERT_DIR,
 167         &err);
 168     g_assert(serverCreds != NULL);
 169
 170     acl = qemu_acl_init("channeltlsacl");
 171     qemu_acl_reset(acl);
 172     wildcards = data->wildcards;
 173     while (wildcards && *wildcards) {
 174         qemu_acl_append(acl, 0, *wildcards);
 175         wildcards++;
 176     }
 177
 178     clientChanSock = qio_channel_socket_new_fd(
 179         channel[0], &err);
 180     g_assert(clientChanSock != NULL);
 181     serverChanSock = qio_channel_socket_new_fd(
 182         channel[1], &err);
 183     g_assert(serverChanSock != NULL);
 184
 185     /*
 186      * We have an evil loop to do the handshake in a single
 187      * thread, so we need these non-blocking to avoid deadlock
 188      * of ourselves
 189      */
 190     qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
 191     qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
 192
 193     /* Now the real part of the test, setup the sessions */
 194     clientChanTLS = qio_channel_tls_new_client(
 195         QIO_CHANNEL(clientChanSock), clientCreds,
 196         data->hostname, &err);
 197     g_assert(clientChanTLS != NULL);
 198
 199     serverChanTLS = qio_channel_tls_new_server(
 200         QIO_CHANNEL(serverChanSock), serverCreds,
 201         "channeltlsacl", &err);
 202     g_assert(serverChanTLS != NULL);
 203
 204     qio_channel_tls_handshake(clientChanTLS,
 205                               test_tls_handshake_done,
 206                               &clientHandshake,
 207                               NULL);
 208     qio_channel_tls_handshake(serverChanTLS,
 209                               test_tls_handshake_done,
 210                               &serverHandshake,
 211                               NULL);
 212
 213     /*
 214      * Finally we loop around & around doing handshake on each
 215      * session until we get an error, or the handshake completes.
 216      * This relies on the socketpair being nonblocking to avoid
 217      * deadlocking ourselves upon handshake
 218      */
 219     mainloop = g_main_context_default();
 220     do {
 221         g_main_context_iteration(mainloop, TRUE);
 222     } while (!clientHandshake.finished &&
 223              !serverHandshake.finished);
 224
 225     g_assert(clientHandshake.failed == data->expectClientFail);
 226     g_assert(serverHandshake.failed == data->expectServerFail);
 227
 228     test = qio_channel_test_new();
 229     qio_channel_test_run_threads(test, false,
 230                                  QIO_CHANNEL(clientChanTLS),
 231                                  QIO_CHANNEL(serverChanTLS));
 232     qio_channel_test_validate(test);
 233
 234     test = qio_channel_test_new();
 235     qio_channel_test_run_threads(test, true,
 236                                  QIO_CHANNEL(clientChanTLS),
 237                                  QIO_CHANNEL(serverChanTLS));
 238     qio_channel_test_validate(test);
 239
 240     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 241     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 242     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 243
 244     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 245     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 246     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 247
 248     rmdir(CLIENT_CERT_DIR);
 249     rmdir(SERVER_CERT_DIR);
 250
 251     object_unparent(OBJECT(serverCreds));
 252     object_unparent(OBJECT(clientCreds));
 253
 254     object_unref(OBJECT(serverChanTLS));
 255     object_unref(OBJECT(clientChanTLS));
 256
 257     object_unref(OBJECT(serverChanSock));
 258     object_unref(OBJECT(clientChanSock));
 259
 260     close(channel[0]);
 261     close(channel[1]);
 262 }
 263
 264
 265 int main(int argc, char **argv)
 266 {
 267     int ret;
 268
 269     g_assert(qcrypto_init(NULL) == 0);
 270
 271     module_call_init(MODULE_INIT_QOM);
 272     g_test_init(&argc, &argv, NULL);
 273     setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
 274
 275     mkdir(WORKDIR, 0700);
 276
 277     test_tls_init(KEYFILE);
 278
 279 # define TEST_CHANNEL(name, caCrt,                                      \
 280                       serverCrt, clientCrt,                             \
 281                       expectServerFail, expectClientFail,               \
 282                       hostname, wildcards)                              \
 283     struct QIOChannelTLSTestData name = {                               \
 284         caCrt, caCrt, serverCrt, clientCrt,                             \
 285         expectServerFail, expectClientFail,                             \
 286         hostname, wildcards                                             \
 287     };                                                                  \
 288     g_test_add_data_func("/qio/channel/tls/" # name,                    \
 289                          &name, test_io_channel_tls);
 290
 291     /* A perfect CA, perfect client & perfect server */
 292
 293     /* Basic:CA:critical */
 294     TLS_ROOT_REQ(cacertreq,
 295                  "UK", "qemu CA", NULL, NULL, NULL, NULL,
 296                  true, true, true,
 297                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 298                  false, false, NULL, NULL,
 299                  0, 0);
 300     TLS_CERT_REQ(servercertreq, cacertreq,
 301                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
 302                  true, true, false,
 303                  true, true,
 304                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 305                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 306                  0, 0);
 307     TLS_CERT_REQ(clientcertreq, cacertreq,
 308                  "UK", "qemu", NULL, NULL, NULL, NULL,
 309                  true, true, false,
 310                  true, true,
 311                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 312                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 313                  0, 0);
 314
 315     const char *const wildcards[] = {
 316         "C=UK,CN=qemu*",
 317         NULL,
 318     };
 319     TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
 320                  clientcertreq.filename, false, false,
 321                  "qemu.org", wildcards);
 322
 323     ret = g_test_run();
 324
 325     test_tls_discard_cert(&clientcertreq);
 326     test_tls_discard_cert(&servercertreq);
 327     test_tls_discard_cert(&cacertreq);
 328
 329     test_tls_cleanup(KEYFILE);
 330     rmdir(WORKDIR);
 331
 332     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 333 }
 334
 335 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 336
 337 int
 338 main(void)
 339 {
 340     return EXIT_SUCCESS;
 341 }
 342
 343 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */