tests: add migration tests of TLS with PSK credentials

This validates that we correctly handle migration success and failure
scenarios when using TLS with pre shared keys.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220426160048.812266-4-berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2022-04-26 17:00:42 +01:00 committed by Dr. David Alan Gilbert
parent 5bc6364bfb
commit 58d25e97f3
4 changed files with 179 additions and 8 deletions

View File

@ -273,13 +273,18 @@ endif
tpmemu_files = ['tpm-emu.c', 'tpm-util.c', 'tpm-tests.c'] tpmemu_files = ['tpm-emu.c', 'tpm-util.c', 'tpm-tests.c']
migration_files = [files('migration-helpers.c')]
if gnutls.found()
migration_files += [files('../unit/crypto-tls-psk-helpers.c'), gnutls]
endif
qtests = { qtests = {
'bios-tables-test': [io, 'boot-sector.c', 'acpi-utils.c', 'tpm-emu.c'], 'bios-tables-test': [io, 'boot-sector.c', 'acpi-utils.c', 'tpm-emu.c'],
'cdrom-test': files('boot-sector.c'), 'cdrom-test': files('boot-sector.c'),
'dbus-vmstate-test': files('migration-helpers.c') + dbus_vmstate1, 'dbus-vmstate-test': files('migration-helpers.c') + dbus_vmstate1,
'erst-test': files('erst-test.c'), 'erst-test': files('erst-test.c'),
'ivshmem-test': [rt, '../../contrib/ivshmem-server/ivshmem-server.c'], 'ivshmem-test': [rt, '../../contrib/ivshmem-server/ivshmem-server.c'],
'migration-test': files('migration-helpers.c'), 'migration-test': migration_files,
'pxe-test': files('boot-sector.c'), 'pxe-test': files('boot-sector.c'),
'qos-test': [chardev, io, qos_test_ss.apply(config_host, strict: false).sources()], 'qos-test': [chardev, io, qos_test_ss.apply(config_host, strict: false).sources()],
'tpm-crb-swtpm-test': [io, tpmemu_files], 'tpm-crb-swtpm-test': [io, tpmemu_files],

View File

@ -23,9 +23,13 @@
#include "qapi/qapi-visit-sockets.h" #include "qapi/qapi-visit-sockets.h"
#include "qapi/qobject-input-visitor.h" #include "qapi/qobject-input-visitor.h"
#include "qapi/qobject-output-visitor.h" #include "qapi/qobject-output-visitor.h"
#include "crypto/tlscredspsk.h"
#include "migration-helpers.h" #include "migration-helpers.h"
#include "tests/migration/migration-test.h" #include "tests/migration/migration-test.h"
#ifdef CONFIG_GNUTLS
# include "tests/unit/crypto-tls-psk-helpers.h"
#endif /* CONFIG_GNUTLS */
/* For dirty ring test; so far only x86_64 is supported */ /* For dirty ring test; so far only x86_64 is supported */
#if defined(__linux__) && defined(HOST_X86_64) #if defined(__linux__) && defined(HOST_X86_64)
@ -640,6 +644,100 @@ static void test_migrate_end(QTestState *from, QTestState *to, bool test_dest)
cleanup("dest_serial"); cleanup("dest_serial");
} }
#ifdef CONFIG_GNUTLS
struct TestMigrateTLSPSKData {
char *workdir;
char *workdiralt;
char *pskfile;
char *pskfilealt;
};
static void *
test_migrate_tls_psk_start_common(QTestState *from,
QTestState *to,
bool mismatch)
{
struct TestMigrateTLSPSKData *data =
g_new0(struct TestMigrateTLSPSKData, 1);
QDict *rsp;
data->workdir = g_strdup_printf("%s/tlscredspsk0", tmpfs);
data->pskfile = g_strdup_printf("%s/%s", data->workdir,
QCRYPTO_TLS_CREDS_PSKFILE);
mkdir(data->workdir, 0700);
test_tls_psk_init(data->pskfile);
if (mismatch) {
data->workdiralt = g_strdup_printf("%s/tlscredspskalt0", tmpfs);
data->pskfilealt = g_strdup_printf("%s/%s", data->workdiralt,
QCRYPTO_TLS_CREDS_PSKFILE);
mkdir(data->workdiralt, 0700);
test_tls_psk_init_alt(data->pskfilealt);
}
rsp = wait_command(from,
"{ 'execute': 'object-add',"
" 'arguments': { 'qom-type': 'tls-creds-psk',"
" 'id': 'tlscredspsk0',"
" 'endpoint': 'client',"
" 'dir': %s,"
" 'username': 'qemu'} }",
data->workdir);
qobject_unref(rsp);
rsp = wait_command(to,
"{ 'execute': 'object-add',"
" 'arguments': { 'qom-type': 'tls-creds-psk',"
" 'id': 'tlscredspsk0',"
" 'endpoint': 'server',"
" 'dir': %s } }",
mismatch ? data->workdiralt : data->workdir);
qobject_unref(rsp);
migrate_set_parameter_str(from, "tls-creds", "tlscredspsk0");
migrate_set_parameter_str(to, "tls-creds", "tlscredspsk0");
return data;
}
static void *
test_migrate_tls_psk_start_match(QTestState *from,
QTestState *to)
{
return test_migrate_tls_psk_start_common(from, to, false);
}
static void *
test_migrate_tls_psk_start_mismatch(QTestState *from,
QTestState *to)
{
return test_migrate_tls_psk_start_common(from, to, true);
}
static void
test_migrate_tls_psk_finish(QTestState *from,
QTestState *to,
void *opaque)
{
struct TestMigrateTLSPSKData *data = opaque;
test_tls_psk_cleanup(data->pskfile);
if (data->pskfilealt) {
test_tls_psk_cleanup(data->pskfilealt);
}
rmdir(data->workdir);
if (data->workdiralt) {
rmdir(data->workdiralt);
}
g_free(data->workdiralt);
g_free(data->pskfilealt);
g_free(data->workdir);
g_free(data->pskfile);
g_free(data);
}
#endif /* CONFIG_GNUTLS */
static int migrate_postcopy_prepare(QTestState **from_ptr, static int migrate_postcopy_prepare(QTestState **from_ptr,
QTestState **to_ptr, QTestState **to_ptr,
MigrateStart *args) MigrateStart *args)
@ -911,7 +1009,7 @@ static void test_precopy_common(MigrateCommon *args)
test_migrate_end(from, to, args->result == MIG_TEST_SUCCEED); test_migrate_end(from, to, args->result == MIG_TEST_SUCCEED);
} }
static void test_precopy_unix(void) static void test_precopy_unix_plain(void)
{ {
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs); g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
MigrateCommon args = { MigrateCommon args = {
@ -922,6 +1020,21 @@ static void test_precopy_unix(void)
test_precopy_common(&args); test_precopy_common(&args);
} }
#ifdef CONFIG_GNUTLS
static void test_precopy_unix_tls_psk(void)
{
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
MigrateCommon args = {
.connect_uri = uri,
.listen_uri = uri,
.start_hook = test_migrate_tls_psk_start_match,
.finish_hook = test_migrate_tls_psk_finish,
};
test_precopy_common(&args);
}
#endif
static void test_precopy_unix_dirty_ring(void) static void test_precopy_unix_dirty_ring(void)
{ {
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs); g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
@ -1026,7 +1139,7 @@ static void test_xbzrle_unix(void)
test_xbzrle(uri); test_xbzrle(uri);
} }
static void test_precopy_tcp(void) static void test_precopy_tcp_plain(void)
{ {
MigrateCommon args = { MigrateCommon args = {
.listen_uri = "tcp:127.0.0.1:0", .listen_uri = "tcp:127.0.0.1:0",
@ -1035,6 +1148,34 @@ static void test_precopy_tcp(void)
test_precopy_common(&args); test_precopy_common(&args);
} }
#ifdef CONFIG_GNUTLS
static void test_precopy_tcp_tls_psk_match(void)
{
MigrateCommon args = {
.listen_uri = "tcp:127.0.0.1:0",
.start_hook = test_migrate_tls_psk_start_match,
.finish_hook = test_migrate_tls_psk_finish,
};
test_precopy_common(&args);
}
static void test_precopy_tcp_tls_psk_mismatch(void)
{
MigrateCommon args = {
.start = {
.hide_stderr = true,
},
.listen_uri = "tcp:127.0.0.1:0",
.start_hook = test_migrate_tls_psk_start_mismatch,
.finish_hook = test_migrate_tls_psk_finish,
.result = MIG_TEST_FAIL,
};
test_precopy_common(&args);
}
#endif /* CONFIG_GNUTLS */
static void *test_migrate_fd_start_hook(QTestState *from, static void *test_migrate_fd_start_hook(QTestState *from,
QTestState *to) QTestState *to)
{ {
@ -1497,8 +1638,20 @@ int main(int argc, char **argv)
qtest_add_func("/migration/postcopy/unix", test_postcopy); qtest_add_func("/migration/postcopy/unix", test_postcopy);
qtest_add_func("/migration/postcopy/recovery", test_postcopy_recovery); qtest_add_func("/migration/postcopy/recovery", test_postcopy_recovery);
qtest_add_func("/migration/bad_dest", test_baddest); qtest_add_func("/migration/bad_dest", test_baddest);
qtest_add_func("/migration/precopy/unix", test_precopy_unix); qtest_add_func("/migration/precopy/unix/plain", test_precopy_unix_plain);
qtest_add_func("/migration/precopy/tcp", test_precopy_tcp); #ifdef CONFIG_GNUTLS
qtest_add_func("/migration/precopy/unix/tls/psk",
test_precopy_unix_tls_psk);
#endif /* CONFIG_GNUTLS */
qtest_add_func("/migration/precopy/tcp/plain", test_precopy_tcp_plain);
#ifdef CONFIG_GNUTLS
qtest_add_func("/migration/precopy/tcp/tls/psk/match",
test_precopy_tcp_tls_psk_match);
qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
test_precopy_tcp_tls_psk_mismatch);
#endif /* CONFIG_GNUTLS */
/* qtest_add_func("/migration/ignore_shared", test_ignore_shared); */ /* qtest_add_func("/migration/ignore_shared", test_ignore_shared); */
qtest_add_func("/migration/xbzrle/unix", test_xbzrle_unix); qtest_add_func("/migration/xbzrle/unix", test_xbzrle_unix);
qtest_add_func("/migration/fd_proto", test_migrate_fd_proto); qtest_add_func("/migration/fd_proto", test_migrate_fd_proto);

View File

@ -24,7 +24,8 @@
#include "crypto-tls-psk-helpers.h" #include "crypto-tls-psk-helpers.h"
#include "qemu/sockets.h" #include "qemu/sockets.h"
void test_tls_psk_init(const char *pskfile) static void
test_tls_psk_init_common(const char *pskfile, const char *user, const char *key)
{ {
FILE *fp; FILE *fp;
@ -33,11 +34,22 @@ void test_tls_psk_init(const char *pskfile)
g_critical("Failed to create pskfile %s: %s", pskfile, strerror(errno)); g_critical("Failed to create pskfile %s: %s", pskfile, strerror(errno));
abort(); abort();
} }
/* Don't do this in real applications! Use psktool. */ fprintf(fp, "%s:%s\n", user, key);
fprintf(fp, "qemu:009d5638c40fde0c\n");
fclose(fp); fclose(fp);
} }
void test_tls_psk_init(const char *pskfile)
{
/* Don't hard code a key like this in real applications! Use psktool. */
test_tls_psk_init_common(pskfile, "qemu", "009d5638c40fde0c");
}
void test_tls_psk_init_alt(const char *pskfile)
{
/* Don't hard code a key like this in real applications! Use psktool. */
test_tls_psk_init_common(pskfile, "qemu", "10ffa6a2c42f0388");
}
void test_tls_psk_cleanup(const char *pskfile) void test_tls_psk_cleanup(const char *pskfile)
{ {
unlink(pskfile); unlink(pskfile);

View File

@ -24,6 +24,7 @@
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
void test_tls_psk_init(const char *keyfile); void test_tls_psk_init(const char *keyfile);
void test_tls_psk_init_alt(const char *keyfile);
void test_tls_psk_cleanup(const char *keyfile); void test_tls_psk_cleanup(const char *keyfile);
#endif #endif