2 * Copyright (C) 2015 Red Hat, Inc.
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
18 * Author: Daniel P. Berrange <berrange@redhat.com>
21 #include "qemu/osdep.h"
23 #include "crypto-tls-x509-helpers.h"
24 #include "crypto/tlscredsx509.h"
25 #include "crypto/tlssession.h"
26 #include "qom/object_interfaces.h"
27 #include "qapi/error.h"
28 #include "qemu/sockets.h"
31 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
33 #define WORKDIR "tests/test-crypto-tlssession-work/"
34 #define KEYFILE WORKDIR "key-ctx.pem"
36 struct QCryptoTLSSessionTestData
{
37 const char *servercacrt
;
38 const char *clientcacrt
;
39 const char *servercrt
;
40 const char *clientcrt
;
41 bool expectServerFail
;
42 bool expectClientFail
;
44 const char *const *wildcards
;
48 static ssize_t
testWrite(const char *buf
, size_t len
, void *opaque
)
52 return write(*fd
, buf
, len
);
55 static ssize_t
testRead(char *buf
, size_t len
, void *opaque
)
59 return read(*fd
, buf
, len
);
62 static QCryptoTLSCreds
*test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint
,
67 Object
*parent
= object_get_objects_root();
68 Object
*creds
= object_new_with_props(
69 TYPE_QCRYPTO_TLS_CREDS_X509
,
71 (endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
?
72 "testtlscredsserver" : "testtlscredsclient"),
74 "endpoint", (endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
?
79 /* We skip initial sanity checks here because we
80 * want to make sure that problems are being
81 * detected at the TLS session validation stage,
82 * and the test-crypto-tlscreds test already
83 * validate the sanity check code.
90 error_propagate(errp
, err
);
93 return QCRYPTO_TLS_CREDS(creds
);
98 * This tests validation checking of peer certificates
100 * This is replicating the checks that are done for an
101 * active TLS session after handshake completes. To
102 * simulate that we create our TLS contexts, skipping
103 * sanity checks. We then get a socketpair, and
104 * initiate a TLS session across them. Finally do
105 * do actual cert validation tests
107 static void test_crypto_tls_session(const void *opaque
)
109 struct QCryptoTLSSessionTestData
*data
=
110 (struct QCryptoTLSSessionTestData
*)opaque
;
111 QCryptoTLSCreds
*clientCreds
;
112 QCryptoTLSCreds
*serverCreds
;
113 QCryptoTLSSession
*clientSess
= NULL
;
114 QCryptoTLSSession
*serverSess
= NULL
;
116 const char * const *wildcards
;
118 bool clientShake
= false;
119 bool serverShake
= false;
123 /* We'll use this for our fake client-server connection */
124 ret
= socketpair(AF_UNIX
, SOCK_STREAM
, 0, channel
);
128 * We have an evil loop to do the handshake in a single
129 * thread, so we need these non-blocking to avoid deadlock
132 qemu_set_nonblock(channel
[0]);
133 qemu_set_nonblock(channel
[1]);
135 #define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
136 #define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
137 mkdir(CLIENT_CERT_DIR
, 0700);
138 mkdir(SERVER_CERT_DIR
, 0700);
140 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
);
141 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT
);
142 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY
);
144 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
);
145 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
);
146 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
);
148 g_assert(link(data
->servercacrt
,
149 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
) == 0);
150 g_assert(link(data
->servercrt
,
151 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT
) == 0);
152 g_assert(link(KEYFILE
,
153 SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY
) == 0);
155 g_assert(link(data
->clientcacrt
,
156 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
) == 0);
157 g_assert(link(data
->clientcrt
,
158 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
) == 0);
159 g_assert(link(KEYFILE
,
160 CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
) == 0);
162 clientCreds
= test_tls_creds_create(
163 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT
,
166 g_assert(clientCreds
!= NULL
);
168 serverCreds
= test_tls_creds_create(
169 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
,
172 g_assert(serverCreds
!= NULL
);
174 acl
= qemu_acl_init("tlssessionacl");
176 wildcards
= data
->wildcards
;
177 while (wildcards
&& *wildcards
) {
178 qemu_acl_append(acl
, 0, *wildcards
);
182 /* Now the real part of the test, setup the sessions */
183 clientSess
= qcrypto_tls_session_new(
184 clientCreds
, data
->hostname
, NULL
,
185 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT
, &err
);
186 serverSess
= qcrypto_tls_session_new(
188 data
->wildcards
? "tlssessionacl" : NULL
,
189 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
, &err
);
191 g_assert(clientSess
!= NULL
);
192 g_assert(serverSess
!= NULL
);
194 /* For handshake to work, we need to set the I/O callbacks
195 * to read/write over the socketpair
197 qcrypto_tls_session_set_callbacks(serverSess
,
200 qcrypto_tls_session_set_callbacks(clientSess
,
205 * Finally we loop around & around doing handshake on each
206 * session until we get an error, or the handshake completes.
207 * This relies on the socketpair being nonblocking to avoid
208 * deadlocking ourselves upon handshake
213 rv
= qcrypto_tls_session_handshake(serverSess
,
216 if (qcrypto_tls_session_get_handshake_status(serverSess
) ==
217 QCRYPTO_TLS_HANDSHAKE_COMPLETE
) {
222 rv
= qcrypto_tls_session_handshake(clientSess
,
225 if (qcrypto_tls_session_get_handshake_status(clientSess
) ==
226 QCRYPTO_TLS_HANDSHAKE_COMPLETE
) {
230 } while (!clientShake
&& !serverShake
);
233 /* Finally make sure the server validation does what
236 if (qcrypto_tls_session_check_credentials(serverSess
, &err
) < 0) {
237 g_assert(data
->expectServerFail
);
241 g_assert(!data
->expectServerFail
);
245 * And the same for the client validation check
247 if (qcrypto_tls_session_check_credentials(clientSess
, &err
) < 0) {
248 g_assert(data
->expectClientFail
);
252 g_assert(!data
->expectClientFail
);
255 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
);
256 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT
);
257 unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY
);
259 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
);
260 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
);
261 unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
);
263 rmdir(CLIENT_CERT_DIR
);
264 rmdir(SERVER_CERT_DIR
);
266 object_unparent(OBJECT(serverCreds
));
267 object_unparent(OBJECT(clientCreds
));
269 qcrypto_tls_session_free(serverSess
);
270 qcrypto_tls_session_free(clientSess
);
277 int main(int argc
, char **argv
)
281 module_call_init(MODULE_INIT_QOM
);
282 g_test_init(&argc
, &argv
, NULL
);
283 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
285 mkdir(WORKDIR
, 0700);
287 test_tls_init(KEYFILE
);
289 # define TEST_SESS_REG(name, caCrt, \
290 serverCrt, clientCrt, \
291 expectServerFail, expectClientFail, \
292 hostname, wildcards) \
293 struct QCryptoTLSSessionTestData name = { \
294 caCrt, caCrt, serverCrt, clientCrt, \
295 expectServerFail, expectClientFail, \
296 hostname, wildcards \
298 g_test_add_data_func("/qcrypto/tlssession/" # name, \
299 &name, test_crypto_tls_session); \
302 # define TEST_SESS_REG_EXT(name, serverCaCrt, clientCaCrt, \
303 serverCrt, clientCrt, \
304 expectServerFail, expectClientFail, \
305 hostname, wildcards) \
306 struct QCryptoTLSSessionTestData name = { \
307 serverCaCrt, clientCaCrt, serverCrt, clientCrt, \
308 expectServerFail, expectClientFail, \
309 hostname, wildcards \
311 g_test_add_data_func("/qcrypto/tlssession/" # name, \
312 &name, test_crypto_tls_session); \
314 /* A perfect CA, perfect client & perfect server */
316 /* Basic:CA:critical */
317 TLS_ROOT_REQ(cacertreq
,
318 "UK", "qemu CA", NULL
, NULL
, NULL
, NULL
,
320 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
321 false, false, NULL
, NULL
,
324 TLS_ROOT_REQ(altcacertreq
,
325 "UK", "qemu CA 1", NULL
, NULL
, NULL
, NULL
,
328 false, false, NULL
, NULL
,
331 TLS_CERT_REQ(servercertreq
, cacertreq
,
332 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
335 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
336 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
338 TLS_CERT_REQ(clientcertreq
, cacertreq
,
339 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
342 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
343 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
346 TLS_CERT_REQ(clientcertaltreq
, altcacertreq
,
347 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
350 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
351 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
354 TEST_SESS_REG(basicca
, cacertreq
.filename
,
355 servercertreq
.filename
, clientcertreq
.filename
,
356 false, false, "qemu.org", NULL
);
357 TEST_SESS_REG_EXT(differentca
, cacertreq
.filename
,
358 altcacertreq
.filename
, servercertreq
.filename
,
359 clientcertaltreq
.filename
, true, true, "qemu.org", NULL
);
362 /* When an altname is set, the CN is ignored, so it must be duplicated
363 * as an altname for it to match */
364 TLS_CERT_REQ(servercertalt1req
, cacertreq
,
365 "UK", "qemu.org", "www.qemu.org", "qemu.org",
366 "192.168.122.1", "fec0::dead:beaf",
369 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
370 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
372 /* This intentionally doesn't replicate */
373 TLS_CERT_REQ(servercertalt2req
, cacertreq
,
374 "UK", "qemu.org", "www.qemu.org", "wiki.qemu.org",
375 "192.168.122.1", "fec0::dead:beaf",
378 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
379 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
382 TEST_SESS_REG(altname1
, cacertreq
.filename
,
383 servercertalt1req
.filename
, clientcertreq
.filename
,
384 false, false, "qemu.org", NULL
);
385 TEST_SESS_REG(altname2
, cacertreq
.filename
,
386 servercertalt1req
.filename
, clientcertreq
.filename
,
387 false, false, "www.qemu.org", NULL
);
388 TEST_SESS_REG(altname3
, cacertreq
.filename
,
389 servercertalt1req
.filename
, clientcertreq
.filename
,
390 false, true, "wiki.qemu.org", NULL
);
392 TEST_SESS_REG(altname4
, cacertreq
.filename
,
393 servercertalt2req
.filename
, clientcertreq
.filename
,
394 false, true, "qemu.org", NULL
);
395 TEST_SESS_REG(altname5
, cacertreq
.filename
,
396 servercertalt2req
.filename
, clientcertreq
.filename
,
397 false, false, "www.qemu.org", NULL
);
398 TEST_SESS_REG(altname6
, cacertreq
.filename
,
399 servercertalt2req
.filename
, clientcertreq
.filename
,
400 false, false, "wiki.qemu.org", NULL
);
402 const char *const wildcards1
[] = {
406 const char *const wildcards2
[] = {
410 const char *const wildcards3
[] = {
415 const char *const wildcards4
[] = {
419 const char *const wildcards5
[] = {
423 const char *const wildcards6
[] = {
428 TEST_SESS_REG(wildcard1
, cacertreq
.filename
,
429 servercertreq
.filename
, clientcertreq
.filename
,
430 true, false, "qemu.org", wildcards1
);
431 TEST_SESS_REG(wildcard2
, cacertreq
.filename
,
432 servercertreq
.filename
, clientcertreq
.filename
,
433 false, false, "qemu.org", wildcards2
);
434 TEST_SESS_REG(wildcard3
, cacertreq
.filename
,
435 servercertreq
.filename
, clientcertreq
.filename
,
436 false, false, "qemu.org", wildcards3
);
437 TEST_SESS_REG(wildcard4
, cacertreq
.filename
,
438 servercertreq
.filename
, clientcertreq
.filename
,
439 true, false, "qemu.org", wildcards4
);
440 TEST_SESS_REG(wildcard5
, cacertreq
.filename
,
441 servercertreq
.filename
, clientcertreq
.filename
,
442 false, false, "qemu.org", wildcards5
);
443 TEST_SESS_REG(wildcard6
, cacertreq
.filename
,
444 servercertreq
.filename
, clientcertreq
.filename
,
445 false, false, "qemu.org", wildcards6
);
447 TLS_ROOT_REQ(cacertrootreq
,
448 "UK", "qemu root", NULL
, NULL
, NULL
, NULL
,
450 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
451 false, false, NULL
, NULL
,
453 TLS_CERT_REQ(cacertlevel1areq
, cacertrootreq
,
454 "UK", "qemu level 1a", NULL
, NULL
, NULL
, NULL
,
456 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
457 false, false, NULL
, NULL
,
459 TLS_CERT_REQ(cacertlevel1breq
, cacertrootreq
,
460 "UK", "qemu level 1b", NULL
, NULL
, NULL
, NULL
,
462 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
463 false, false, NULL
, NULL
,
465 TLS_CERT_REQ(cacertlevel2areq
, cacertlevel1areq
,
466 "UK", "qemu level 2a", NULL
, NULL
, NULL
, NULL
,
468 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
469 false, false, NULL
, NULL
,
471 TLS_CERT_REQ(servercertlevel3areq
, cacertlevel2areq
,
472 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
475 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
476 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
478 TLS_CERT_REQ(clientcertlevel2breq
, cacertlevel1breq
,
479 "UK", "qemu client level 2b", NULL
, NULL
, NULL
, NULL
,
482 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
483 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
486 gnutls_x509_crt_t certchain
[] = {
488 cacertlevel1areq
.crt
,
489 cacertlevel1breq
.crt
,
490 cacertlevel2areq
.crt
,
493 test_tls_write_cert_chain(WORKDIR
"cacertchain-sess.pem",
495 G_N_ELEMENTS(certchain
));
497 TEST_SESS_REG(cachain
, WORKDIR
"cacertchain-sess.pem",
498 servercertlevel3areq
.filename
, clientcertlevel2breq
.filename
,
499 false, false, "qemu.org", NULL
);
503 test_tls_discard_cert(&clientcertreq
);
504 test_tls_discard_cert(&clientcertaltreq
);
506 test_tls_discard_cert(&servercertreq
);
507 test_tls_discard_cert(&servercertalt1req
);
508 test_tls_discard_cert(&servercertalt2req
);
510 test_tls_discard_cert(&cacertreq
);
511 test_tls_discard_cert(&altcacertreq
);
513 test_tls_discard_cert(&cacertrootreq
);
514 test_tls_discard_cert(&cacertlevel1areq
);
515 test_tls_discard_cert(&cacertlevel1breq
);
516 test_tls_discard_cert(&cacertlevel2areq
);
517 test_tls_discard_cert(&servercertlevel3areq
);
518 test_tls_discard_cert(&clientcertlevel2breq
);
519 unlink(WORKDIR
"cacertchain-sess.pem");
521 test_tls_cleanup(KEYFILE
);
524 return ret
== 0 ? EXIT_SUCCESS
: EXIT_FAILURE
;
527 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
535 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */