tests: add migration tests of TLS with PSK credentials
This validates that we correctly handle migration success and failure scenarios when using TLS with pre shared keys. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220426160048.812266-4-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
This commit is contained in:
parent
5bc6364bfb
commit
58d25e97f3
@ -273,13 +273,18 @@ endif
|
|||||||
|
|
||||||
tpmemu_files = ['tpm-emu.c', 'tpm-util.c', 'tpm-tests.c']
|
tpmemu_files = ['tpm-emu.c', 'tpm-util.c', 'tpm-tests.c']
|
||||||
|
|
||||||
|
migration_files = [files('migration-helpers.c')]
|
||||||
|
if gnutls.found()
|
||||||
|
migration_files += [files('../unit/crypto-tls-psk-helpers.c'), gnutls]
|
||||||
|
endif
|
||||||
|
|
||||||
qtests = {
|
qtests = {
|
||||||
'bios-tables-test': [io, 'boot-sector.c', 'acpi-utils.c', 'tpm-emu.c'],
|
'bios-tables-test': [io, 'boot-sector.c', 'acpi-utils.c', 'tpm-emu.c'],
|
||||||
'cdrom-test': files('boot-sector.c'),
|
'cdrom-test': files('boot-sector.c'),
|
||||||
'dbus-vmstate-test': files('migration-helpers.c') + dbus_vmstate1,
|
'dbus-vmstate-test': files('migration-helpers.c') + dbus_vmstate1,
|
||||||
'erst-test': files('erst-test.c'),
|
'erst-test': files('erst-test.c'),
|
||||||
'ivshmem-test': [rt, '../../contrib/ivshmem-server/ivshmem-server.c'],
|
'ivshmem-test': [rt, '../../contrib/ivshmem-server/ivshmem-server.c'],
|
||||||
'migration-test': files('migration-helpers.c'),
|
'migration-test': migration_files,
|
||||||
'pxe-test': files('boot-sector.c'),
|
'pxe-test': files('boot-sector.c'),
|
||||||
'qos-test': [chardev, io, qos_test_ss.apply(config_host, strict: false).sources()],
|
'qos-test': [chardev, io, qos_test_ss.apply(config_host, strict: false).sources()],
|
||||||
'tpm-crb-swtpm-test': [io, tpmemu_files],
|
'tpm-crb-swtpm-test': [io, tpmemu_files],
|
||||||
|
@ -23,9 +23,13 @@
|
|||||||
#include "qapi/qapi-visit-sockets.h"
|
#include "qapi/qapi-visit-sockets.h"
|
||||||
#include "qapi/qobject-input-visitor.h"
|
#include "qapi/qobject-input-visitor.h"
|
||||||
#include "qapi/qobject-output-visitor.h"
|
#include "qapi/qobject-output-visitor.h"
|
||||||
|
#include "crypto/tlscredspsk.h"
|
||||||
|
|
||||||
#include "migration-helpers.h"
|
#include "migration-helpers.h"
|
||||||
#include "tests/migration/migration-test.h"
|
#include "tests/migration/migration-test.h"
|
||||||
|
#ifdef CONFIG_GNUTLS
|
||||||
|
# include "tests/unit/crypto-tls-psk-helpers.h"
|
||||||
|
#endif /* CONFIG_GNUTLS */
|
||||||
|
|
||||||
/* For dirty ring test; so far only x86_64 is supported */
|
/* For dirty ring test; so far only x86_64 is supported */
|
||||||
#if defined(__linux__) && defined(HOST_X86_64)
|
#if defined(__linux__) && defined(HOST_X86_64)
|
||||||
@ -640,6 +644,100 @@ static void test_migrate_end(QTestState *from, QTestState *to, bool test_dest)
|
|||||||
cleanup("dest_serial");
|
cleanup("dest_serial");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_GNUTLS
|
||||||
|
struct TestMigrateTLSPSKData {
|
||||||
|
char *workdir;
|
||||||
|
char *workdiralt;
|
||||||
|
char *pskfile;
|
||||||
|
char *pskfilealt;
|
||||||
|
};
|
||||||
|
|
||||||
|
static void *
|
||||||
|
test_migrate_tls_psk_start_common(QTestState *from,
|
||||||
|
QTestState *to,
|
||||||
|
bool mismatch)
|
||||||
|
{
|
||||||
|
struct TestMigrateTLSPSKData *data =
|
||||||
|
g_new0(struct TestMigrateTLSPSKData, 1);
|
||||||
|
QDict *rsp;
|
||||||
|
|
||||||
|
data->workdir = g_strdup_printf("%s/tlscredspsk0", tmpfs);
|
||||||
|
data->pskfile = g_strdup_printf("%s/%s", data->workdir,
|
||||||
|
QCRYPTO_TLS_CREDS_PSKFILE);
|
||||||
|
mkdir(data->workdir, 0700);
|
||||||
|
test_tls_psk_init(data->pskfile);
|
||||||
|
|
||||||
|
if (mismatch) {
|
||||||
|
data->workdiralt = g_strdup_printf("%s/tlscredspskalt0", tmpfs);
|
||||||
|
data->pskfilealt = g_strdup_printf("%s/%s", data->workdiralt,
|
||||||
|
QCRYPTO_TLS_CREDS_PSKFILE);
|
||||||
|
mkdir(data->workdiralt, 0700);
|
||||||
|
test_tls_psk_init_alt(data->pskfilealt);
|
||||||
|
}
|
||||||
|
|
||||||
|
rsp = wait_command(from,
|
||||||
|
"{ 'execute': 'object-add',"
|
||||||
|
" 'arguments': { 'qom-type': 'tls-creds-psk',"
|
||||||
|
" 'id': 'tlscredspsk0',"
|
||||||
|
" 'endpoint': 'client',"
|
||||||
|
" 'dir': %s,"
|
||||||
|
" 'username': 'qemu'} }",
|
||||||
|
data->workdir);
|
||||||
|
qobject_unref(rsp);
|
||||||
|
|
||||||
|
rsp = wait_command(to,
|
||||||
|
"{ 'execute': 'object-add',"
|
||||||
|
" 'arguments': { 'qom-type': 'tls-creds-psk',"
|
||||||
|
" 'id': 'tlscredspsk0',"
|
||||||
|
" 'endpoint': 'server',"
|
||||||
|
" 'dir': %s } }",
|
||||||
|
mismatch ? data->workdiralt : data->workdir);
|
||||||
|
qobject_unref(rsp);
|
||||||
|
|
||||||
|
migrate_set_parameter_str(from, "tls-creds", "tlscredspsk0");
|
||||||
|
migrate_set_parameter_str(to, "tls-creds", "tlscredspsk0");
|
||||||
|
|
||||||
|
return data;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void *
|
||||||
|
test_migrate_tls_psk_start_match(QTestState *from,
|
||||||
|
QTestState *to)
|
||||||
|
{
|
||||||
|
return test_migrate_tls_psk_start_common(from, to, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void *
|
||||||
|
test_migrate_tls_psk_start_mismatch(QTestState *from,
|
||||||
|
QTestState *to)
|
||||||
|
{
|
||||||
|
return test_migrate_tls_psk_start_common(from, to, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
test_migrate_tls_psk_finish(QTestState *from,
|
||||||
|
QTestState *to,
|
||||||
|
void *opaque)
|
||||||
|
{
|
||||||
|
struct TestMigrateTLSPSKData *data = opaque;
|
||||||
|
|
||||||
|
test_tls_psk_cleanup(data->pskfile);
|
||||||
|
if (data->pskfilealt) {
|
||||||
|
test_tls_psk_cleanup(data->pskfilealt);
|
||||||
|
}
|
||||||
|
rmdir(data->workdir);
|
||||||
|
if (data->workdiralt) {
|
||||||
|
rmdir(data->workdiralt);
|
||||||
|
}
|
||||||
|
|
||||||
|
g_free(data->workdiralt);
|
||||||
|
g_free(data->pskfilealt);
|
||||||
|
g_free(data->workdir);
|
||||||
|
g_free(data->pskfile);
|
||||||
|
g_free(data);
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_GNUTLS */
|
||||||
|
|
||||||
static int migrate_postcopy_prepare(QTestState **from_ptr,
|
static int migrate_postcopy_prepare(QTestState **from_ptr,
|
||||||
QTestState **to_ptr,
|
QTestState **to_ptr,
|
||||||
MigrateStart *args)
|
MigrateStart *args)
|
||||||
@ -911,7 +1009,7 @@ static void test_precopy_common(MigrateCommon *args)
|
|||||||
test_migrate_end(from, to, args->result == MIG_TEST_SUCCEED);
|
test_migrate_end(from, to, args->result == MIG_TEST_SUCCEED);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void test_precopy_unix(void)
|
static void test_precopy_unix_plain(void)
|
||||||
{
|
{
|
||||||
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
|
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
|
||||||
MigrateCommon args = {
|
MigrateCommon args = {
|
||||||
@ -922,6 +1020,21 @@ static void test_precopy_unix(void)
|
|||||||
test_precopy_common(&args);
|
test_precopy_common(&args);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_GNUTLS
|
||||||
|
static void test_precopy_unix_tls_psk(void)
|
||||||
|
{
|
||||||
|
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
|
||||||
|
MigrateCommon args = {
|
||||||
|
.connect_uri = uri,
|
||||||
|
.listen_uri = uri,
|
||||||
|
.start_hook = test_migrate_tls_psk_start_match,
|
||||||
|
.finish_hook = test_migrate_tls_psk_finish,
|
||||||
|
};
|
||||||
|
|
||||||
|
test_precopy_common(&args);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
static void test_precopy_unix_dirty_ring(void)
|
static void test_precopy_unix_dirty_ring(void)
|
||||||
{
|
{
|
||||||
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
|
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
|
||||||
@ -1026,7 +1139,7 @@ static void test_xbzrle_unix(void)
|
|||||||
test_xbzrle(uri);
|
test_xbzrle(uri);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void test_precopy_tcp(void)
|
static void test_precopy_tcp_plain(void)
|
||||||
{
|
{
|
||||||
MigrateCommon args = {
|
MigrateCommon args = {
|
||||||
.listen_uri = "tcp:127.0.0.1:0",
|
.listen_uri = "tcp:127.0.0.1:0",
|
||||||
@ -1035,6 +1148,34 @@ static void test_precopy_tcp(void)
|
|||||||
test_precopy_common(&args);
|
test_precopy_common(&args);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_GNUTLS
|
||||||
|
static void test_precopy_tcp_tls_psk_match(void)
|
||||||
|
{
|
||||||
|
MigrateCommon args = {
|
||||||
|
.listen_uri = "tcp:127.0.0.1:0",
|
||||||
|
.start_hook = test_migrate_tls_psk_start_match,
|
||||||
|
.finish_hook = test_migrate_tls_psk_finish,
|
||||||
|
};
|
||||||
|
|
||||||
|
test_precopy_common(&args);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_precopy_tcp_tls_psk_mismatch(void)
|
||||||
|
{
|
||||||
|
MigrateCommon args = {
|
||||||
|
.start = {
|
||||||
|
.hide_stderr = true,
|
||||||
|
},
|
||||||
|
.listen_uri = "tcp:127.0.0.1:0",
|
||||||
|
.start_hook = test_migrate_tls_psk_start_mismatch,
|
||||||
|
.finish_hook = test_migrate_tls_psk_finish,
|
||||||
|
.result = MIG_TEST_FAIL,
|
||||||
|
};
|
||||||
|
|
||||||
|
test_precopy_common(&args);
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_GNUTLS */
|
||||||
|
|
||||||
static void *test_migrate_fd_start_hook(QTestState *from,
|
static void *test_migrate_fd_start_hook(QTestState *from,
|
||||||
QTestState *to)
|
QTestState *to)
|
||||||
{
|
{
|
||||||
@ -1497,8 +1638,20 @@ int main(int argc, char **argv)
|
|||||||
qtest_add_func("/migration/postcopy/unix", test_postcopy);
|
qtest_add_func("/migration/postcopy/unix", test_postcopy);
|
||||||
qtest_add_func("/migration/postcopy/recovery", test_postcopy_recovery);
|
qtest_add_func("/migration/postcopy/recovery", test_postcopy_recovery);
|
||||||
qtest_add_func("/migration/bad_dest", test_baddest);
|
qtest_add_func("/migration/bad_dest", test_baddest);
|
||||||
qtest_add_func("/migration/precopy/unix", test_precopy_unix);
|
qtest_add_func("/migration/precopy/unix/plain", test_precopy_unix_plain);
|
||||||
qtest_add_func("/migration/precopy/tcp", test_precopy_tcp);
|
#ifdef CONFIG_GNUTLS
|
||||||
|
qtest_add_func("/migration/precopy/unix/tls/psk",
|
||||||
|
test_precopy_unix_tls_psk);
|
||||||
|
#endif /* CONFIG_GNUTLS */
|
||||||
|
|
||||||
|
qtest_add_func("/migration/precopy/tcp/plain", test_precopy_tcp_plain);
|
||||||
|
#ifdef CONFIG_GNUTLS
|
||||||
|
qtest_add_func("/migration/precopy/tcp/tls/psk/match",
|
||||||
|
test_precopy_tcp_tls_psk_match);
|
||||||
|
qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
|
||||||
|
test_precopy_tcp_tls_psk_mismatch);
|
||||||
|
#endif /* CONFIG_GNUTLS */
|
||||||
|
|
||||||
/* qtest_add_func("/migration/ignore_shared", test_ignore_shared); */
|
/* qtest_add_func("/migration/ignore_shared", test_ignore_shared); */
|
||||||
qtest_add_func("/migration/xbzrle/unix", test_xbzrle_unix);
|
qtest_add_func("/migration/xbzrle/unix", test_xbzrle_unix);
|
||||||
qtest_add_func("/migration/fd_proto", test_migrate_fd_proto);
|
qtest_add_func("/migration/fd_proto", test_migrate_fd_proto);
|
||||||
|
@ -24,7 +24,8 @@
|
|||||||
#include "crypto-tls-psk-helpers.h"
|
#include "crypto-tls-psk-helpers.h"
|
||||||
#include "qemu/sockets.h"
|
#include "qemu/sockets.h"
|
||||||
|
|
||||||
void test_tls_psk_init(const char *pskfile)
|
static void
|
||||||
|
test_tls_psk_init_common(const char *pskfile, const char *user, const char *key)
|
||||||
{
|
{
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
|
|
||||||
@ -33,11 +34,22 @@ void test_tls_psk_init(const char *pskfile)
|
|||||||
g_critical("Failed to create pskfile %s: %s", pskfile, strerror(errno));
|
g_critical("Failed to create pskfile %s: %s", pskfile, strerror(errno));
|
||||||
abort();
|
abort();
|
||||||
}
|
}
|
||||||
/* Don't do this in real applications! Use psktool. */
|
fprintf(fp, "%s:%s\n", user, key);
|
||||||
fprintf(fp, "qemu:009d5638c40fde0c\n");
|
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void test_tls_psk_init(const char *pskfile)
|
||||||
|
{
|
||||||
|
/* Don't hard code a key like this in real applications! Use psktool. */
|
||||||
|
test_tls_psk_init_common(pskfile, "qemu", "009d5638c40fde0c");
|
||||||
|
}
|
||||||
|
|
||||||
|
void test_tls_psk_init_alt(const char *pskfile)
|
||||||
|
{
|
||||||
|
/* Don't hard code a key like this in real applications! Use psktool. */
|
||||||
|
test_tls_psk_init_common(pskfile, "qemu", "10ffa6a2c42f0388");
|
||||||
|
}
|
||||||
|
|
||||||
void test_tls_psk_cleanup(const char *pskfile)
|
void test_tls_psk_cleanup(const char *pskfile)
|
||||||
{
|
{
|
||||||
unlink(pskfile);
|
unlink(pskfile);
|
||||||
|
@ -24,6 +24,7 @@
|
|||||||
#include <gnutls/gnutls.h>
|
#include <gnutls/gnutls.h>
|
||||||
|
|
||||||
void test_tls_psk_init(const char *keyfile);
|
void test_tls_psk_init(const char *keyfile);
|
||||||
|
void test_tls_psk_init_alt(const char *keyfile);
|
||||||
void test_tls_psk_cleanup(const char *keyfile);
|
void test_tls_psk_cleanup(const char *keyfile);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
Loading…
Reference in New Issue
Block a user