2015-03-02 18:23:31 +01:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2015 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library. If not, see
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
* Author: Daniel P. Berrange <berrange@redhat.com>
|
|
|
|
*/
|
|
|
|
|
2016-02-08 19:08:51 +01:00
|
|
|
#include "qemu/osdep.h"
|
2015-03-02 18:23:31 +01:00
|
|
|
|
|
|
|
#include "crypto-tls-x509-helpers.h"
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
#include "crypto-tls-psk-helpers.h"
|
2015-03-02 18:23:31 +01:00
|
|
|
#include "crypto/tlscredsx509.h"
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
#include "crypto/tlscredspsk.h"
|
2015-03-02 18:23:31 +01:00
|
|
|
#include "crypto/tlssession.h"
|
|
|
|
#include "qom/object_interfaces.h"
|
include/qemu/osdep.h: Don't include qapi/error.h
Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the
Error typedef. Since then, we've moved to include qemu/osdep.h
everywhere. Its file comment explains: "To avoid getting into
possible circular include dependencies, this file should not include
any other QEMU headers, with the exceptions of config-host.h,
compiler.h, os-posix.h and os-win32.h, all of which are doing a
similar job to this file and are under similar constraints."
qapi/error.h doesn't do a similar job, and it doesn't adhere to
similar constraints: it includes qapi-types.h. That's in excess of
100KiB of crap most .c files don't actually need.
Add the typedef to qemu/typedefs.h, and include that instead of
qapi/error.h. Include qapi/error.h in .c files that need it and don't
get it now. Include qapi-types.h in qom/object.h for uint16List.
Update scripts/clean-includes accordingly. Update it further to match
reality: replace config.h by config-target.h, add sysemu/os-posix.h,
sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h
comment quoted above similarly.
This reduces the number of objects depending on qapi/error.h from "all
of them" to less than a third. Unfortunately, the number depending on
qapi-types.h shrinks only a little. More work is needed for that one.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
[Fix compilation without the spice devel packages. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-14 09:01:28 +01:00
|
|
|
#include "qapi/error.h"
|
2015-03-02 18:23:31 +01:00
|
|
|
#include "qemu/sockets.h"
|
2016-02-18 19:40:24 +01:00
|
|
|
#include "authz/list.h"
|
2015-03-02 18:23:31 +01:00
|
|
|
|
|
|
|
#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
|
|
|
|
|
|
|
|
#define WORKDIR "tests/test-crypto-tlssession-work/"
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
#define PSKFILE WORKDIR "keys.psk"
|
2015-03-02 18:23:31 +01:00
|
|
|
#define KEYFILE WORKDIR "key-ctx.pem"
|
|
|
|
|
|
|
|
static ssize_t testWrite(const char *buf, size_t len, void *opaque)
|
|
|
|
{
|
|
|
|
int *fd = opaque;
|
|
|
|
|
|
|
|
return write(*fd, buf, len);
|
|
|
|
}
|
|
|
|
|
|
|
|
static ssize_t testRead(char *buf, size_t len, void *opaque)
|
|
|
|
{
|
|
|
|
int *fd = opaque;
|
|
|
|
|
|
|
|
return read(*fd, buf, len);
|
|
|
|
}
|
|
|
|
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
static QCryptoTLSCreds *test_tls_creds_psk_create(
|
|
|
|
QCryptoTLSCredsEndpoint endpoint,
|
2018-07-18 11:06:43 +02:00
|
|
|
const char *dir)
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
{
|
|
|
|
Object *parent = object_get_objects_root();
|
|
|
|
Object *creds = object_new_with_props(
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_PSK,
|
|
|
|
parent,
|
|
|
|
(endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
|
|
|
|
"testtlscredsserver" : "testtlscredsclient"),
|
2018-07-18 11:06:43 +02:00
|
|
|
&error_abort,
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
"endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
|
|
|
|
"server" : "client"),
|
|
|
|
"dir", dir,
|
|
|
|
"priority", "NORMAL",
|
|
|
|
NULL
|
|
|
|
);
|
|
|
|
return QCRYPTO_TLS_CREDS(creds);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void test_crypto_tls_session_psk(void)
|
|
|
|
{
|
|
|
|
QCryptoTLSCreds *clientCreds;
|
|
|
|
QCryptoTLSCreds *serverCreds;
|
|
|
|
QCryptoTLSSession *clientSess = NULL;
|
|
|
|
QCryptoTLSSession *serverSess = NULL;
|
|
|
|
int channel[2];
|
|
|
|
bool clientShake = false;
|
|
|
|
bool serverShake = false;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
/* We'll use this for our fake client-server connection */
|
|
|
|
ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
|
|
|
|
g_assert(ret == 0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We have an evil loop to do the handshake in a single
|
|
|
|
* thread, so we need these non-blocking to avoid deadlock
|
|
|
|
* of ourselves
|
|
|
|
*/
|
|
|
|
qemu_set_nonblock(channel[0]);
|
|
|
|
qemu_set_nonblock(channel[1]);
|
|
|
|
|
|
|
|
clientCreds = test_tls_creds_psk_create(
|
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
|
2018-07-18 11:06:43 +02:00
|
|
|
WORKDIR);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
g_assert(clientCreds != NULL);
|
|
|
|
|
|
|
|
serverCreds = test_tls_creds_psk_create(
|
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
|
2018-07-18 11:06:43 +02:00
|
|
|
WORKDIR);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
g_assert(serverCreds != NULL);
|
|
|
|
|
|
|
|
/* Now the real part of the test, setup the sessions */
|
|
|
|
clientSess = qcrypto_tls_session_new(
|
|
|
|
clientCreds, NULL, NULL,
|
2018-07-18 11:06:43 +02:00
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
|
|
|
|
g_assert(clientSess != NULL);
|
|
|
|
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
serverSess = qcrypto_tls_session_new(
|
|
|
|
serverCreds, NULL, NULL,
|
2018-07-18 11:06:43 +02:00
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
g_assert(serverSess != NULL);
|
|
|
|
|
|
|
|
/* For handshake to work, we need to set the I/O callbacks
|
|
|
|
* to read/write over the socketpair
|
|
|
|
*/
|
|
|
|
qcrypto_tls_session_set_callbacks(serverSess,
|
|
|
|
testWrite, testRead,
|
|
|
|
&channel[0]);
|
|
|
|
qcrypto_tls_session_set_callbacks(clientSess,
|
|
|
|
testWrite, testRead,
|
|
|
|
&channel[1]);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Finally we loop around & around doing handshake on each
|
|
|
|
* session until we get an error, or the handshake completes.
|
|
|
|
* This relies on the socketpair being nonblocking to avoid
|
|
|
|
* deadlocking ourselves upon handshake
|
|
|
|
*/
|
|
|
|
do {
|
|
|
|
int rv;
|
|
|
|
if (!serverShake) {
|
|
|
|
rv = qcrypto_tls_session_handshake(serverSess,
|
2018-07-18 11:06:43 +02:00
|
|
|
&error_abort);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
g_assert(rv >= 0);
|
|
|
|
if (qcrypto_tls_session_get_handshake_status(serverSess) ==
|
|
|
|
QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
|
|
|
|
serverShake = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!clientShake) {
|
|
|
|
rv = qcrypto_tls_session_handshake(clientSess,
|
2018-07-18 11:06:43 +02:00
|
|
|
&error_abort);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
g_assert(rv >= 0);
|
|
|
|
if (qcrypto_tls_session_get_handshake_status(clientSess) ==
|
|
|
|
QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
|
|
|
|
clientShake = true;
|
|
|
|
}
|
|
|
|
}
|
2018-07-18 11:24:59 +02:00
|
|
|
} while (!clientShake || !serverShake);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
|
|
|
|
|
|
|
|
/* Finally make sure the server & client validation is successful. */
|
2018-07-18 11:06:43 +02:00
|
|
|
g_assert(qcrypto_tls_session_check_credentials(serverSess,
|
|
|
|
&error_abort) == 0);
|
|
|
|
g_assert(qcrypto_tls_session_check_credentials(clientSess,
|
|
|
|
&error_abort) == 0);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
|
|
|
|
object_unparent(OBJECT(serverCreds));
|
|
|
|
object_unparent(OBJECT(clientCreds));
|
|
|
|
|
|
|
|
qcrypto_tls_session_free(serverSess);
|
|
|
|
qcrypto_tls_session_free(clientSess);
|
|
|
|
|
|
|
|
close(channel[0]);
|
|
|
|
close(channel[1]);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
struct QCryptoTLSSessionTestData {
|
|
|
|
const char *servercacrt;
|
|
|
|
const char *clientcacrt;
|
|
|
|
const char *servercrt;
|
|
|
|
const char *clientcrt;
|
|
|
|
bool expectServerFail;
|
|
|
|
bool expectClientFail;
|
|
|
|
const char *hostname;
|
|
|
|
const char *const *wildcards;
|
|
|
|
};
|
|
|
|
|
|
|
|
static QCryptoTLSCreds *test_tls_creds_x509_create(
|
|
|
|
QCryptoTLSCredsEndpoint endpoint,
|
2018-07-18 11:06:43 +02:00
|
|
|
const char *certdir)
|
2015-03-02 18:23:31 +01:00
|
|
|
{
|
|
|
|
Object *parent = object_get_objects_root();
|
|
|
|
Object *creds = object_new_with_props(
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_X509,
|
|
|
|
parent,
|
|
|
|
(endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
|
|
|
|
"testtlscredsserver" : "testtlscredsclient"),
|
2018-07-18 11:06:43 +02:00
|
|
|
&error_abort,
|
2015-03-02 18:23:31 +01:00
|
|
|
"endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
|
|
|
|
"server" : "client"),
|
|
|
|
"dir", certdir,
|
|
|
|
"verify-peer", "yes",
|
2018-02-28 15:04:38 +01:00
|
|
|
"priority", "NORMAL",
|
2015-03-02 18:23:31 +01:00
|
|
|
/* We skip initial sanity checks here because we
|
|
|
|
* want to make sure that problems are being
|
|
|
|
* detected at the TLS session validation stage,
|
|
|
|
* and the test-crypto-tlscreds test already
|
|
|
|
* validate the sanity check code.
|
|
|
|
*/
|
|
|
|
"sanity-check", "no",
|
|
|
|
NULL
|
|
|
|
);
|
|
|
|
return QCRYPTO_TLS_CREDS(creds);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This tests validation checking of peer certificates
|
|
|
|
*
|
|
|
|
* This is replicating the checks that are done for an
|
|
|
|
* active TLS session after handshake completes. To
|
|
|
|
* simulate that we create our TLS contexts, skipping
|
|
|
|
* sanity checks. We then get a socketpair, and
|
|
|
|
* initiate a TLS session across them. Finally do
|
|
|
|
* do actual cert validation tests
|
|
|
|
*/
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
static void test_crypto_tls_session_x509(const void *opaque)
|
2015-03-02 18:23:31 +01:00
|
|
|
{
|
|
|
|
struct QCryptoTLSSessionTestData *data =
|
|
|
|
(struct QCryptoTLSSessionTestData *)opaque;
|
|
|
|
QCryptoTLSCreds *clientCreds;
|
|
|
|
QCryptoTLSCreds *serverCreds;
|
|
|
|
QCryptoTLSSession *clientSess = NULL;
|
|
|
|
QCryptoTLSSession *serverSess = NULL;
|
2016-02-18 19:40:24 +01:00
|
|
|
QAuthZList *auth;
|
2015-03-02 18:23:31 +01:00
|
|
|
const char * const *wildcards;
|
|
|
|
int channel[2];
|
|
|
|
bool clientShake = false;
|
|
|
|
bool serverShake = false;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
/* We'll use this for our fake client-server connection */
|
|
|
|
ret = socketpair(AF_UNIX, SOCK_STREAM, 0, channel);
|
|
|
|
g_assert(ret == 0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We have an evil loop to do the handshake in a single
|
|
|
|
* thread, so we need these non-blocking to avoid deadlock
|
|
|
|
* of ourselves
|
|
|
|
*/
|
|
|
|
qemu_set_nonblock(channel[0]);
|
|
|
|
qemu_set_nonblock(channel[1]);
|
|
|
|
|
|
|
|
#define CLIENT_CERT_DIR "tests/test-crypto-tlssession-client/"
|
|
|
|
#define SERVER_CERT_DIR "tests/test-crypto-tlssession-server/"
|
|
|
|
mkdir(CLIENT_CERT_DIR, 0700);
|
|
|
|
mkdir(SERVER_CERT_DIR, 0700);
|
|
|
|
|
|
|
|
unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
|
|
|
|
unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
|
|
|
|
unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
|
|
|
|
|
|
|
|
unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
|
|
|
|
unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
|
|
|
|
unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
|
|
|
|
|
|
|
|
g_assert(link(data->servercacrt,
|
|
|
|
SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
|
|
|
|
g_assert(link(data->servercrt,
|
|
|
|
SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
|
|
|
|
g_assert(link(KEYFILE,
|
|
|
|
SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
|
|
|
|
|
|
|
|
g_assert(link(data->clientcacrt,
|
|
|
|
CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
|
|
|
|
g_assert(link(data->clientcrt,
|
|
|
|
CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
|
|
|
|
g_assert(link(KEYFILE,
|
|
|
|
CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
|
|
|
|
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
clientCreds = test_tls_creds_x509_create(
|
2015-03-02 18:23:31 +01:00
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
|
2018-07-18 11:06:43 +02:00
|
|
|
CLIENT_CERT_DIR);
|
2015-03-02 18:23:31 +01:00
|
|
|
g_assert(clientCreds != NULL);
|
|
|
|
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
serverCreds = test_tls_creds_x509_create(
|
2015-03-02 18:23:31 +01:00
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
|
2018-07-18 11:06:43 +02:00
|
|
|
SERVER_CERT_DIR);
|
2015-03-02 18:23:31 +01:00
|
|
|
g_assert(serverCreds != NULL);
|
|
|
|
|
2016-02-18 19:40:24 +01:00
|
|
|
auth = qauthz_list_new("tlssessionacl",
|
|
|
|
QAUTHZ_LIST_POLICY_DENY,
|
|
|
|
&error_abort);
|
2015-03-02 18:23:31 +01:00
|
|
|
wildcards = data->wildcards;
|
|
|
|
while (wildcards && *wildcards) {
|
2016-02-18 19:40:24 +01:00
|
|
|
qauthz_list_append_rule(auth, *wildcards,
|
|
|
|
QAUTHZ_LIST_POLICY_ALLOW,
|
|
|
|
QAUTHZ_LIST_FORMAT_GLOB,
|
|
|
|
&error_abort);
|
2015-03-02 18:23:31 +01:00
|
|
|
wildcards++;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Now the real part of the test, setup the sessions */
|
|
|
|
clientSess = qcrypto_tls_session_new(
|
|
|
|
clientCreds, data->hostname, NULL,
|
2018-07-18 11:06:43 +02:00
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);
|
|
|
|
g_assert(clientSess != NULL);
|
|
|
|
|
2015-03-02 18:23:31 +01:00
|
|
|
serverSess = qcrypto_tls_session_new(
|
|
|
|
serverCreds, NULL,
|
|
|
|
data->wildcards ? "tlssessionacl" : NULL,
|
2018-07-18 11:06:43 +02:00
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);
|
2015-03-02 18:23:31 +01:00
|
|
|
g_assert(serverSess != NULL);
|
|
|
|
|
|
|
|
/* For handshake to work, we need to set the I/O callbacks
|
|
|
|
* to read/write over the socketpair
|
|
|
|
*/
|
|
|
|
qcrypto_tls_session_set_callbacks(serverSess,
|
|
|
|
testWrite, testRead,
|
|
|
|
&channel[0]);
|
|
|
|
qcrypto_tls_session_set_callbacks(clientSess,
|
|
|
|
testWrite, testRead,
|
|
|
|
&channel[1]);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Finally we loop around & around doing handshake on each
|
|
|
|
* session until we get an error, or the handshake completes.
|
|
|
|
* This relies on the socketpair being nonblocking to avoid
|
|
|
|
* deadlocking ourselves upon handshake
|
|
|
|
*/
|
|
|
|
do {
|
|
|
|
int rv;
|
|
|
|
if (!serverShake) {
|
|
|
|
rv = qcrypto_tls_session_handshake(serverSess,
|
2018-07-18 11:06:43 +02:00
|
|
|
&error_abort);
|
2015-03-02 18:23:31 +01:00
|
|
|
g_assert(rv >= 0);
|
|
|
|
if (qcrypto_tls_session_get_handshake_status(serverSess) ==
|
|
|
|
QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
|
|
|
|
serverShake = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!clientShake) {
|
|
|
|
rv = qcrypto_tls_session_handshake(clientSess,
|
2018-07-18 11:06:43 +02:00
|
|
|
&error_abort);
|
2015-03-02 18:23:31 +01:00
|
|
|
g_assert(rv >= 0);
|
|
|
|
if (qcrypto_tls_session_get_handshake_status(clientSess) ==
|
|
|
|
QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
|
|
|
|
clientShake = true;
|
|
|
|
}
|
|
|
|
}
|
2018-07-18 11:24:59 +02:00
|
|
|
} while (!clientShake || !serverShake);
|
2015-03-02 18:23:31 +01:00
|
|
|
|
|
|
|
|
|
|
|
/* Finally make sure the server validation does what
|
|
|
|
* we were expecting
|
|
|
|
*/
|
2018-07-18 11:06:43 +02:00
|
|
|
if (qcrypto_tls_session_check_credentials(
|
|
|
|
serverSess, data->expectServerFail ? NULL : &error_abort) < 0) {
|
2015-03-02 18:23:31 +01:00
|
|
|
g_assert(data->expectServerFail);
|
|
|
|
} else {
|
|
|
|
g_assert(!data->expectServerFail);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* And the same for the client validation check
|
|
|
|
*/
|
2018-07-18 11:06:43 +02:00
|
|
|
if (qcrypto_tls_session_check_credentials(
|
|
|
|
clientSess, data->expectClientFail ? NULL : &error_abort) < 0) {
|
2015-03-02 18:23:31 +01:00
|
|
|
g_assert(data->expectClientFail);
|
|
|
|
} else {
|
|
|
|
g_assert(!data->expectClientFail);
|
|
|
|
}
|
|
|
|
|
|
|
|
unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
|
|
|
|
unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
|
|
|
|
unlink(SERVER_CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
|
|
|
|
|
|
|
|
unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
|
|
|
|
unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
|
|
|
|
unlink(CLIENT_CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
|
|
|
|
|
|
|
|
rmdir(CLIENT_CERT_DIR);
|
|
|
|
rmdir(SERVER_CERT_DIR);
|
|
|
|
|
|
|
|
object_unparent(OBJECT(serverCreds));
|
|
|
|
object_unparent(OBJECT(clientCreds));
|
2016-02-18 19:40:24 +01:00
|
|
|
object_unparent(OBJECT(auth));
|
2015-03-02 18:23:31 +01:00
|
|
|
|
|
|
|
qcrypto_tls_session_free(serverSess);
|
|
|
|
qcrypto_tls_session_free(clientSess);
|
|
|
|
|
|
|
|
close(channel[0]);
|
|
|
|
close(channel[1]);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int main(int argc, char **argv)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
module_call_init(MODULE_INIT_QOM);
|
|
|
|
g_test_init(&argc, &argv, NULL);
|
|
|
|
setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
|
|
|
|
|
|
|
|
mkdir(WORKDIR, 0700);
|
|
|
|
|
|
|
|
test_tls_init(KEYFILE);
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
test_tls_psk_init(PSKFILE);
|
|
|
|
|
|
|
|
/* Simple initial test using Pre-Shared Keys. */
|
|
|
|
g_test_add_func("/qcrypto/tlssession/psk",
|
|
|
|
test_crypto_tls_session_psk);
|
2015-03-02 18:23:31 +01:00
|
|
|
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
/* More complex tests using X.509 certificates. */
|
2015-03-02 18:23:31 +01:00
|
|
|
# define TEST_SESS_REG(name, caCrt, \
|
|
|
|
serverCrt, clientCrt, \
|
|
|
|
expectServerFail, expectClientFail, \
|
|
|
|
hostname, wildcards) \
|
|
|
|
struct QCryptoTLSSessionTestData name = { \
|
|
|
|
caCrt, caCrt, serverCrt, clientCrt, \
|
|
|
|
expectServerFail, expectClientFail, \
|
|
|
|
hostname, wildcards \
|
|
|
|
}; \
|
|
|
|
g_test_add_data_func("/qcrypto/tlssession/" # name, \
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
&name, test_crypto_tls_session_x509); \
|
2015-03-02 18:23:31 +01:00
|
|
|
|
|
|
|
|
|
|
|
# define TEST_SESS_REG_EXT(name, serverCaCrt, clientCaCrt, \
|
|
|
|
serverCrt, clientCrt, \
|
|
|
|
expectServerFail, expectClientFail, \
|
|
|
|
hostname, wildcards) \
|
|
|
|
struct QCryptoTLSSessionTestData name = { \
|
|
|
|
serverCaCrt, clientCaCrt, serverCrt, clientCrt, \
|
|
|
|
expectServerFail, expectClientFail, \
|
|
|
|
hostname, wildcards \
|
|
|
|
}; \
|
|
|
|
g_test_add_data_func("/qcrypto/tlssession/" # name, \
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
&name, test_crypto_tls_session_x509); \
|
2015-03-02 18:23:31 +01:00
|
|
|
|
|
|
|
/* A perfect CA, perfect client & perfect server */
|
|
|
|
|
|
|
|
/* Basic:CA:critical */
|
|
|
|
TLS_ROOT_REQ(cacertreq,
|
|
|
|
"UK", "qemu CA", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
TLS_ROOT_REQ(altcacertreq,
|
|
|
|
"UK", "qemu CA 1", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
false, false, 0,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
TLS_CERT_REQ(servercertreq, cacertreq,
|
|
|
|
"UK", "qemu.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true,
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(clientcertreq, cacertreq,
|
|
|
|
"UK", "qemu", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true,
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
TLS_CERT_REQ(clientcertaltreq, altcacertreq,
|
|
|
|
"UK", "qemu", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true,
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
TEST_SESS_REG(basicca, cacertreq.filename,
|
|
|
|
servercertreq.filename, clientcertreq.filename,
|
|
|
|
false, false, "qemu.org", NULL);
|
|
|
|
TEST_SESS_REG_EXT(differentca, cacertreq.filename,
|
|
|
|
altcacertreq.filename, servercertreq.filename,
|
|
|
|
clientcertaltreq.filename, true, true, "qemu.org", NULL);
|
|
|
|
|
|
|
|
|
|
|
|
/* When an altname is set, the CN is ignored, so it must be duplicated
|
|
|
|
* as an altname for it to match */
|
|
|
|
TLS_CERT_REQ(servercertalt1req, cacertreq,
|
|
|
|
"UK", "qemu.org", "www.qemu.org", "qemu.org",
|
|
|
|
"192.168.122.1", "fec0::dead:beaf",
|
|
|
|
true, true, false,
|
|
|
|
true, true,
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
/* This intentionally doesn't replicate */
|
|
|
|
TLS_CERT_REQ(servercertalt2req, cacertreq,
|
|
|
|
"UK", "qemu.org", "www.qemu.org", "wiki.qemu.org",
|
|
|
|
"192.168.122.1", "fec0::dead:beaf",
|
|
|
|
true, true, false,
|
|
|
|
true, true,
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
TEST_SESS_REG(altname1, cacertreq.filename,
|
|
|
|
servercertalt1req.filename, clientcertreq.filename,
|
|
|
|
false, false, "qemu.org", NULL);
|
|
|
|
TEST_SESS_REG(altname2, cacertreq.filename,
|
|
|
|
servercertalt1req.filename, clientcertreq.filename,
|
|
|
|
false, false, "www.qemu.org", NULL);
|
|
|
|
TEST_SESS_REG(altname3, cacertreq.filename,
|
|
|
|
servercertalt1req.filename, clientcertreq.filename,
|
|
|
|
false, true, "wiki.qemu.org", NULL);
|
|
|
|
|
|
|
|
TEST_SESS_REG(altname4, cacertreq.filename,
|
|
|
|
servercertalt2req.filename, clientcertreq.filename,
|
|
|
|
false, true, "qemu.org", NULL);
|
|
|
|
TEST_SESS_REG(altname5, cacertreq.filename,
|
|
|
|
servercertalt2req.filename, clientcertreq.filename,
|
|
|
|
false, false, "www.qemu.org", NULL);
|
|
|
|
TEST_SESS_REG(altname6, cacertreq.filename,
|
|
|
|
servercertalt2req.filename, clientcertreq.filename,
|
|
|
|
false, false, "wiki.qemu.org", NULL);
|
|
|
|
|
|
|
|
const char *const wildcards1[] = {
|
|
|
|
"C=UK,CN=dogfood",
|
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
const char *const wildcards2[] = {
|
|
|
|
"C=UK,CN=qemu",
|
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
const char *const wildcards3[] = {
|
|
|
|
"C=UK,CN=dogfood",
|
|
|
|
"C=UK,CN=qemu",
|
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
const char *const wildcards4[] = {
|
|
|
|
"C=UK,CN=qemustuff",
|
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
const char *const wildcards5[] = {
|
|
|
|
"C=UK,CN=qemu*",
|
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
const char *const wildcards6[] = {
|
|
|
|
"C=UK,CN=*emu*",
|
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
|
|
|
|
TEST_SESS_REG(wildcard1, cacertreq.filename,
|
|
|
|
servercertreq.filename, clientcertreq.filename,
|
|
|
|
true, false, "qemu.org", wildcards1);
|
|
|
|
TEST_SESS_REG(wildcard2, cacertreq.filename,
|
|
|
|
servercertreq.filename, clientcertreq.filename,
|
|
|
|
false, false, "qemu.org", wildcards2);
|
|
|
|
TEST_SESS_REG(wildcard3, cacertreq.filename,
|
|
|
|
servercertreq.filename, clientcertreq.filename,
|
|
|
|
false, false, "qemu.org", wildcards3);
|
|
|
|
TEST_SESS_REG(wildcard4, cacertreq.filename,
|
|
|
|
servercertreq.filename, clientcertreq.filename,
|
|
|
|
true, false, "qemu.org", wildcards4);
|
|
|
|
TEST_SESS_REG(wildcard5, cacertreq.filename,
|
|
|
|
servercertreq.filename, clientcertreq.filename,
|
|
|
|
false, false, "qemu.org", wildcards5);
|
|
|
|
TEST_SESS_REG(wildcard6, cacertreq.filename,
|
|
|
|
servercertreq.filename, clientcertreq.filename,
|
|
|
|
false, false, "qemu.org", wildcards6);
|
|
|
|
|
|
|
|
TLS_ROOT_REQ(cacertrootreq,
|
|
|
|
"UK", "qemu root", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
|
|
|
|
"UK", "qemu level 1a", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
|
|
|
|
"UK", "qemu level 1b", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
|
|
|
|
"UK", "qemu level 2a", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, true,
|
|
|
|
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
|
false, false, NULL, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
|
|
|
|
"UK", "qemu.org", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true,
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
|
0, 0);
|
|
|
|
TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
|
|
|
|
"UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
|
|
|
|
true, true, false,
|
|
|
|
true, true,
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
|
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
|
0, 0);
|
|
|
|
|
|
|
|
gnutls_x509_crt_t certchain[] = {
|
|
|
|
cacertrootreq.crt,
|
|
|
|
cacertlevel1areq.crt,
|
|
|
|
cacertlevel1breq.crt,
|
|
|
|
cacertlevel2areq.crt,
|
|
|
|
};
|
|
|
|
|
|
|
|
test_tls_write_cert_chain(WORKDIR "cacertchain-sess.pem",
|
|
|
|
certchain,
|
|
|
|
G_N_ELEMENTS(certchain));
|
|
|
|
|
|
|
|
TEST_SESS_REG(cachain, WORKDIR "cacertchain-sess.pem",
|
|
|
|
servercertlevel3areq.filename, clientcertlevel2breq.filename,
|
|
|
|
false, false, "qemu.org", NULL);
|
|
|
|
|
|
|
|
ret = g_test_run();
|
|
|
|
|
|
|
|
test_tls_discard_cert(&clientcertreq);
|
|
|
|
test_tls_discard_cert(&clientcertaltreq);
|
|
|
|
|
|
|
|
test_tls_discard_cert(&servercertreq);
|
|
|
|
test_tls_discard_cert(&servercertalt1req);
|
|
|
|
test_tls_discard_cert(&servercertalt2req);
|
|
|
|
|
|
|
|
test_tls_discard_cert(&cacertreq);
|
|
|
|
test_tls_discard_cert(&altcacertreq);
|
|
|
|
|
|
|
|
test_tls_discard_cert(&cacertrootreq);
|
|
|
|
test_tls_discard_cert(&cacertlevel1areq);
|
|
|
|
test_tls_discard_cert(&cacertlevel1breq);
|
|
|
|
test_tls_discard_cert(&cacertlevel2areq);
|
|
|
|
test_tls_discard_cert(&servercertlevel3areq);
|
|
|
|
test_tls_discard_cert(&clientcertlevel2breq);
|
|
|
|
unlink(WORKDIR "cacertchain-sess.pem");
|
|
|
|
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 10:03:03 +02:00
|
|
|
test_tls_psk_cleanup(PSKFILE);
|
2015-03-02 18:23:31 +01:00
|
|
|
test_tls_cleanup(KEYFILE);
|
|
|
|
rmdir(WORKDIR);
|
|
|
|
|
|
|
|
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
|
|
|
|
#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
|
|
|
|
|
|
|
|
int
|
|
|
|
main(void)
|
|
|
|
{
|
|
|
|
return EXIT_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
|