tests/test-io-channel-tls.c

   1 /*
   2  * QEMU I/O channel TLS test
   3  *
   4  * Copyright (C) 2015 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library.  If not, see
  18  * <http://www.gnu.org/licenses/>.
  19  *
  20  * Author: Daniel P. Berrange <[email protected]>
  21  */
  22
  23
  24 #include <stdlib.h>
  25 #include <fcntl.h>
  26
  27 #include "config-host.h"
  28 #include "crypto-tls-x509-helpers.h"
  29 #include "io/channel-tls.h"
  30 #include "io/channel-socket.h"
  31 #include "io-channel-helpers.h"
  32 #include "crypto/tlscredsx509.h"
  33 #include "qemu/acl.h"
  34 #include "qom/object_interfaces.h"
  35
  36 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
  37
  38 #define WORKDIR "tests/test-io-channel-tls-work/"
  39 #define KEYFILE WORKDIR "key-ctx.pem"
  40
  41 struct QIOChannelTLSTestData {
  42     const char *servercacrt;
  43     const char *clientcacrt;
  44     const char *servercrt;
  45     const char *clientcrt;
  46     bool expectServerFail;
  47     bool expectClientFail;
  48     const char *hostname;
  49     const char *const *wildcards;
  50 };
  51
  52 struct QIOChannelTLSHandshakeData {
  53     bool finished;
  54     bool failed;
  55 };
  56
  57 static void test_tls_handshake_done(Object *source,
  58                                     Error *err,
  59                                     gpointer opaque)
  60 {
  61     struct QIOChannelTLSHandshakeData *data = opaque;
  62
  63     data->finished = true;
  64     data->failed = err != NULL;
  65 }
  66
  67
  68 static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
  69                                               const char *certdir,
  70                                               Error **errp)
  71 {
  72     Object *parent = object_get_objects_root();
  73     Object *creds = object_new_with_props(
  74         TYPE_QCRYPTO_TLS_CREDS_X509,
  75         parent,
  76         (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  77          "testtlscredsserver" : "testtlscredsclient"),
  78         errp,
  79         "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  80                      "server" : "client"),
  81         "dir", certdir,
  82         "verify-peer", "yes",
  83         /* We skip initial sanity checks here because we
  84          * want to make sure that problems are being
  85          * detected at the TLS session validation stage,
  86          * and the test-crypto-tlscreds test already
  87          * validate the sanity check code.
  88          */
  89         "sanity-check", "no",
  90         NULL
  91         );
  92
  93     if (*errp) {
  94         return NULL;
  95     }
  96     return QCRYPTO_TLS_CREDS(creds);
  97 }
  98
  99
 100 /*
 101  * This tests validation checking of peer certificates
 102  *
 103  * This is replicating the checks that are done for an
 104  * active TLS session after handshake completes. To
 105  * simulate that we create our TLS contexts, skipping
 106  * sanity checks. When then get a socketpair, and
 107  * initiate a TLS session across them. Finally do
 108  * do actual cert validation tests
 109  */
 110 static void test_io_channel_tls(const void *opaque)
 111 {
 112     struct QIOChannelTLSTestData *data =
 113         (struct QIOChannelTLSTestData *)opaque;
 114     QCryptoTLSCreds *clientCreds;
 115     QCryptoTLSCreds *serverCreds;
 116     QIOChannelTLS *clientChanTLS;
 117     QIOChannelTLS *serverChanTLS;
 118     QIOChannelSocket *clientChanSock;
 119     QIOChannelSocket *serverChanSock;
 120     qemu_acl *acl;
 121     const char * const *wildcards;
 122     int channel[2];
 123     struct QIOChannelTLSHandshakeData clientHandshake = { false, false };
 124     struct QIOChannelTLSHandshakeData serverHandshake = { false, false };
 125     Error *err = NULL;
 126     QIOChannelTest *test;
 127     GMainContext *mainloop;
 128
 129     /* We'll use this for our fake client-server connection */
 130     g_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, channel) == 0);
 131
 132 #define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
 133 #define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
 134     mkdir(CLIENT_CERT_DIR, 0700);
 135     mkdir(SERVER_CERT_DIR, 0700);
 136
 137     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 138     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 139     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 140
 141     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 142     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 143     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 144
 145     g_assert(link(data->servercacrt,
 146                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 147     g_assert(link(data->servercrt,
 148                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
 149     g_assert(link(KEYFILE,
 150                   SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
 151
 152     g_assert(link(data->clientcacrt,
 153                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
 154     g_assert(link(data->clientcrt,
 155                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
 156     g_assert(link(KEYFILE,
 157                   CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
 158
 159     clientCreds = test_tls_creds_create(
 160         QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
 161         CLIENT_CERT_DIR,
 162         &err);
 163     g_assert(clientCreds != NULL);
 164
 165     serverCreds = test_tls_creds_create(
 166         QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
 167         SERVER_CERT_DIR,
 168         &err);
 169     g_assert(serverCreds != NULL);
 170
 171     acl = qemu_acl_init("channeltlsacl");
 172     qemu_acl_reset(acl);
 173     wildcards = data->wildcards;
 174     while (wildcards && *wildcards) {
 175         qemu_acl_append(acl, 0, *wildcards);
 176         wildcards++;
 177     }
 178
 179     clientChanSock = qio_channel_socket_new_fd(
 180         channel[0], &err);
 181     g_assert(clientChanSock != NULL);
 182     serverChanSock = qio_channel_socket_new_fd(
 183         channel[1], &err);
 184     g_assert(serverChanSock != NULL);
 185
 186     /*
 187      * We have an evil loop to do the handshake in a single
 188      * thread, so we need these non-blocking to avoid deadlock
 189      * of ourselves
 190      */
 191     qio_channel_set_blocking(QIO_CHANNEL(clientChanSock), false, NULL);
 192     qio_channel_set_blocking(QIO_CHANNEL(serverChanSock), false, NULL);
 193
 194     /* Now the real part of the test, setup the sessions */
 195     clientChanTLS = qio_channel_tls_new_client(
 196         QIO_CHANNEL(clientChanSock), clientCreds,
 197         data->hostname, &err);
 198     g_assert(clientChanTLS != NULL);
 199
 200     serverChanTLS = qio_channel_tls_new_server(
 201         QIO_CHANNEL(serverChanSock), serverCreds,
 202         "channeltlsacl", &err);
 203     g_assert(serverChanTLS != NULL);
 204
 205     qio_channel_tls_handshake(clientChanTLS,
 206                               test_tls_handshake_done,
 207                               &clientHandshake,
 208                               NULL);
 209     qio_channel_tls_handshake(serverChanTLS,
 210                               test_tls_handshake_done,
 211                               &serverHandshake,
 212                               NULL);
 213
 214     /*
 215      * Finally we loop around & around doing handshake on each
 216      * session until we get an error, or the handshake completes.
 217      * This relies on the socketpair being nonblocking to avoid
 218      * deadlocking ourselves upon handshake
 219      */
 220     mainloop = g_main_context_default();
 221     do {
 222         g_main_context_iteration(mainloop, TRUE);
 223     } while (!clientHandshake.finished &&
 224              !serverHandshake.finished);
 225
 226     g_assert(clientHandshake.failed == data->expectClientFail);
 227     g_assert(serverHandshake.failed == data->expectServerFail);
 228
 229     test = qio_channel_test_new();
 230     qio_channel_test_run_threads(test, false,
 231                                  QIO_CHANNEL(clientChanTLS),
 232                                  QIO_CHANNEL(serverChanTLS));
 233     qio_channel_test_validate(test);
 234
 235     test = qio_channel_test_new();
 236     qio_channel_test_run_threads(test, true,
 237                                  QIO_CHANNEL(clientChanTLS),
 238                                  QIO_CHANNEL(serverChanTLS));
 239     qio_channel_test_validate(test);
 240
 241     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 242     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 243     unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 244
 245     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 246     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 247     unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 248
 249     rmdir(CLIENT_CERT_DIR);
 250     rmdir(SERVER_CERT_DIR);
 251
 252     object_unparent(OBJECT(serverCreds));
 253     object_unparent(OBJECT(clientCreds));
 254
 255     object_unref(OBJECT(serverChanTLS));
 256     object_unref(OBJECT(clientChanTLS));
 257
 258     object_unref(OBJECT(serverChanSock));
 259     object_unref(OBJECT(clientChanSock));
 260
 261     close(channel[0]);
 262     close(channel[1]);
 263 }
 264
 265
 266 int main(int argc, char **argv)
 267 {
 268     int ret;
 269
 270     module_call_init(MODULE_INIT_QOM);
 271     g_test_init(&argc, &argv, NULL);
 272     setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
 273
 274     mkdir(WORKDIR, 0700);
 275
 276     test_tls_init(KEYFILE);
 277
 278 # define TEST_CHANNEL(name, caCrt,                                      \
 279                       serverCrt, clientCrt,                             \
 280                       expectServerFail, expectClientFail,               \
 281                       hostname, wildcards)                              \
 282     struct QIOChannelTLSTestData name = {                               \
 283         caCrt, caCrt, serverCrt, clientCrt,                             \
 284         expectServerFail, expectClientFail,                             \
 285         hostname, wildcards                                             \
 286     };                                                                  \
 287     g_test_add_data_func("/qio/channel/tls/" # name,                    \
 288                          &name, test_io_channel_tls);
 289
 290     /* A perfect CA, perfect client & perfect server */
 291
 292     /* Basic:CA:critical */
 293     TLS_ROOT_REQ(cacertreq,
 294                  "UK", "qemu CA", NULL, NULL, NULL, NULL,
 295                  true, true, true,
 296                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 297                  false, false, NULL, NULL,
 298                  0, 0);
 299     TLS_CERT_REQ(servercertreq, cacertreq,
 300                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
 301                  true, true, false,
 302                  true, true,
 303                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 304                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 305                  0, 0);
 306     TLS_CERT_REQ(clientcertreq, cacertreq,
 307                  "UK", "qemu", NULL, NULL, NULL, NULL,
 308                  true, true, false,
 309                  true, true,
 310                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 311                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 312                  0, 0);
 313
 314     const char *const wildcards[] = {
 315         "C=UK,CN=qemu*",
 316         NULL,
 317     };
 318     TEST_CHANNEL(basic, cacertreq.filename, servercertreq.filename,
 319                  clientcertreq.filename, false, false,
 320                  "qemu.org", wildcards);
 321
 322     ret = g_test_run();
 323
 324     test_tls_discard_cert(&clientcertreq);
 325     test_tls_discard_cert(&servercertreq);
 326     test_tls_discard_cert(&cacertreq);
 327
 328     test_tls_cleanup(KEYFILE);
 329     rmdir(WORKDIR);
 330
 331     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 332 }
 333
 334 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 335
 336 int
 337 main(void)
 338 {
 339     return EXIT_SUCCESS;
 340 }
 341
 342 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */