qemu-e2k/tests/unit/crypto-tls-psk-helpers.c

/*
 * Copyright (C) 2015-2018 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.  If not, see
 * <http://www.gnu.org/licenses/>.
 *
 * Author: Richard W.M. Jones <rjones@redhat.com>
 */

#include "qemu/osdep.h"

#include "crypto-tls-x509-helpers.h"
#include "crypto-tls-psk-helpers.h"
#include "qemu/sockets.h"

static void
test_tls_psk_init_common(const char *pskfile, const char *user, const char *key)
{
    g_autoptr(GError) gerr = NULL;
    g_autofree char *line = g_strdup_printf("%s:%s\n", user, key);

    g_file_set_contents(pskfile, line, strlen(line), &gerr);
    if (gerr != NULL) {
        g_critical("Failed to create pskfile %s: %s", pskfile, gerr->message);
        abort();
    }
}

void test_tls_psk_init(const char *pskfile)
{
    /* Don't hard code a key like this in real applications!  Use psktool. */
    test_tls_psk_init_common(pskfile, "qemu", "009d5638c40fde0c");
}

void test_tls_psk_init_alt(const char *pskfile)
{
    /* Don't hard code a key like this in real applications!  Use psktool. */
    test_tls_psk_init_common(pskfile, "qemu", "10ffa6a2c42f0388");
}

void test_tls_psk_cleanup(const char *pskfile)
{
    unlink(pskfile);
}
crypto: Implement TLS Pre-Shared Keys (PSK). Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS connections than using certificates. It requires only a simple secret key: $ mkdir -m 0700 /tmp/keys $ psktool -u rjones -p /tmp/keys/keys.psk $ cat /tmp/keys/keys.psk rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc The key can be secretly shared between clients and servers. Clients must specify the directory containing the "keys.psk" file and a username (defaults to "qemu"). Servers must specify only the directory. Example NBD client: $ qemu-img info \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \ --image-opts \ file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/ Example NBD server using qemu-nbd: $ qemu-nbd -t -x / \ --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \ --tls-creds tls0 \ image.qcow2 Example NBD server using nbdkit: $ nbdkit -n -e / -fv \ --tls=on --tls-psk=/tmp/keys/keys.psk \ file file=disk.img Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2018-07-03 10:03:03 +02:00			`/*`
			`* Copyright (C) 2015-2018 Red Hat, Inc.`
			`*`
			`* This library is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU Lesser General Public`
			`* License as published by the Free Software Foundation; either`
			`* version 2.1 of the License, or (at your option) any later version.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`* Lesser General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Lesser General Public`
			`* License along with this library. If not, see`
			`* <http://www.gnu.org/licenses/>.`
			`*`
			`* Author: Richard W.M. Jones <rjones@redhat.com>`
			`*/`

			`#include "qemu/osdep.h"`

			`#include "crypto-tls-x509-helpers.h"`
			`#include "crypto-tls-psk-helpers.h"`
			`#include "qemu/sockets.h"`

tests: add migration tests of TLS with PSK credentials This validates that we correctly handle migration success and failure scenarios when using TLS with pre shared keys. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220426160048.812266-4-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> 2022-04-26 18:00:42 +02:00			`static void`
			`test_tls_psk_init_common(const char pskfile, const char user, const char *key)`
crypto: Implement TLS Pre-Shared Keys (PSK). Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS connections than using certificates. It requires only a simple secret key: $ mkdir -m 0700 /tmp/keys $ psktool -u rjones -p /tmp/keys/keys.psk $ cat /tmp/keys/keys.psk rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc The key can be secretly shared between clients and servers. Clients must specify the directory containing the "keys.psk" file and a username (defaults to "qemu"). Servers must specify only the directory. Example NBD client: $ qemu-img info \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \ --image-opts \ file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/ Example NBD server using qemu-nbd: $ qemu-nbd -t -x / \ --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \ --tls-creds tls0 \ image.qcow2 Example NBD server using nbdkit: $ nbdkit -n -e / -fv \ --tls=on --tls-psk=/tmp/keys/keys.psk \ file file=disk.img Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2018-07-03 10:03:03 +02:00			`{`
tests: avoid DOS line endings in PSK file Using FILE * APIs for writing the PSK file results in translation from UNIX to DOS line endings on Windows. When the crypto PSK code later loads the credentials the stray \r will result in failure to load the PSK credentials into GNUTLS. Rather than switching the FILE* APIs to open in binary format, just switch to the more concise g_file_set_contents API. Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Tested-by: Bin Meng <bmeng.cn@gmail.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2022-09-28 16:57:24 +02:00			`g_autoptr(GError) gerr = NULL;`
			`g_autofree char *line = g_strdup_printf("%s:%s\n", user, key);`
crypto: Implement TLS Pre-Shared Keys (PSK). Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS connections than using certificates. It requires only a simple secret key: $ mkdir -m 0700 /tmp/keys $ psktool -u rjones -p /tmp/keys/keys.psk $ cat /tmp/keys/keys.psk rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc The key can be secretly shared between clients and servers. Clients must specify the directory containing the "keys.psk" file and a username (defaults to "qemu"). Servers must specify only the directory. Example NBD client: $ qemu-img info \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \ --image-opts \ file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/ Example NBD server using qemu-nbd: $ qemu-nbd -t -x / \ --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \ --tls-creds tls0 \ image.qcow2 Example NBD server using nbdkit: $ nbdkit -n -e / -fv \ --tls=on --tls-psk=/tmp/keys/keys.psk \ file file=disk.img Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2018-07-03 10:03:03 +02:00
tests: avoid DOS line endings in PSK file Using FILE * APIs for writing the PSK file results in translation from UNIX to DOS line endings on Windows. When the crypto PSK code later loads the credentials the stray \r will result in failure to load the PSK credentials into GNUTLS. Rather than switching the FILE* APIs to open in binary format, just switch to the more concise g_file_set_contents API. Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Tested-by: Bin Meng <bmeng.cn@gmail.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2022-09-28 16:57:24 +02:00			`g_file_set_contents(pskfile, line, strlen(line), &gerr);`
			`if (gerr != NULL) {`
			`g_critical("Failed to create pskfile %s: %s", pskfile, gerr->message);`
crypto: Implement TLS Pre-Shared Keys (PSK). Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS connections than using certificates. It requires only a simple secret key: $ mkdir -m 0700 /tmp/keys $ psktool -u rjones -p /tmp/keys/keys.psk $ cat /tmp/keys/keys.psk rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc The key can be secretly shared between clients and servers. Clients must specify the directory containing the "keys.psk" file and a username (defaults to "qemu"). Servers must specify only the directory. Example NBD client: $ qemu-img info \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \ --image-opts \ file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/ Example NBD server using qemu-nbd: $ qemu-nbd -t -x / \ --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \ --tls-creds tls0 \ image.qcow2 Example NBD server using nbdkit: $ nbdkit -n -e / -fv \ --tls=on --tls-psk=/tmp/keys/keys.psk \ file file=disk.img Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2018-07-03 10:03:03 +02:00			`abort();`
			`}`
			`}`

tests: add migration tests of TLS with PSK credentials This validates that we correctly handle migration success and failure scenarios when using TLS with pre shared keys. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220426160048.812266-4-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> 2022-04-26 18:00:42 +02:00			`void test_tls_psk_init(const char *pskfile)`
			`{`
			`/* Don't hard code a key like this in real applications! Use psktool. */`
			`test_tls_psk_init_common(pskfile, "qemu", "009d5638c40fde0c");`
			`}`

			`void test_tls_psk_init_alt(const char *pskfile)`
			`{`
			`/* Don't hard code a key like this in real applications! Use psktool. */`
			`test_tls_psk_init_common(pskfile, "qemu", "10ffa6a2c42f0388");`
			`}`

crypto: Implement TLS Pre-Shared Keys (PSK). Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS connections than using certificates. It requires only a simple secret key: $ mkdir -m 0700 /tmp/keys $ psktool -u rjones -p /tmp/keys/keys.psk $ cat /tmp/keys/keys.psk rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc The key can be secretly shared between clients and servers. Clients must specify the directory containing the "keys.psk" file and a username (defaults to "qemu"). Servers must specify only the directory. Example NBD client: $ qemu-img info \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \ --image-opts \ file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/ Example NBD server using qemu-nbd: $ qemu-nbd -t -x / \ --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \ --tls-creds tls0 \ image.qcow2 Example NBD server using nbdkit: $ nbdkit -n -e / -fv \ --tls=on --tls-psk=/tmp/keys/keys.psk \ file file=disk.img Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2018-07-03 10:03:03 +02:00			`void test_tls_psk_cleanup(const char *pskfile)`
			`{`
			`unlink(pskfile);`
			`}`