From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Laurent Vivier" <lvivier@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Peter Xu" <peterx@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Subject: [PATCH 12/18] tests: add migration tests of TLS with PSK credentials
Date: Wed, 2 Mar 2022 17:49:26 +0000 [thread overview]
Message-ID: <20220302174932.2692378-13-berrange@redhat.com> (raw)
In-Reply-To: <20220302174932.2692378-1-berrange@redhat.com>
This validates that we correctly handle migration success and failure
scenarios when using TLS with pre shared keys.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
roms/seabios | 2 +-
tests/qtest/meson.build | 7 +-
tests/qtest/migration-test.c | 180 ++++++++++++++++++++++++++--
tests/unit/crypto-tls-psk-helpers.c | 18 ++-
tests/unit/crypto-tls-psk-helpers.h | 1 +
5 files changed, 190 insertions(+), 18 deletions(-)
diff --git a/roms/seabios b/roms/seabios
index 2dd4b9b3f8..6a62e0cb0d 160000
--- a/roms/seabios
+++ b/roms/seabios
@@ -1 +1 @@
-Subproject commit 2dd4b9b3f84019668719344b40dba79d681be41c
+Subproject commit 6a62e0cb0dfe9cd28b70547dbea5caf76847c3a9
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index f33d84d19b..a95bb5def3 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -276,13 +276,18 @@ endif
tpmemu_files = ['tpm-emu.c', 'tpm-util.c', 'tpm-tests.c']
+migration_files = [files('migration-helpers.c')]
+if gnutls.found()
+ migration_files += [files('../unit/crypto-tls-psk-helpers.c'), gnutls]
+endif
+
qtests = {
'bios-tables-test': [io, 'boot-sector.c', 'acpi-utils.c', 'tpm-emu.c'],
'cdrom-test': files('boot-sector.c'),
'dbus-vmstate-test': files('migration-helpers.c') + dbus_vmstate1,
'erst-test': files('erst-test.c'),
'ivshmem-test': [rt, '../../contrib/ivshmem-server/ivshmem-server.c'],
- 'migration-test': files('migration-helpers.c'),
+ 'migration-test': migration_files,
'pxe-test': files('boot-sector.c'),
'qos-test': [chardev, io, qos_test_ss.apply(config_host, strict: false).sources()],
'tpm-crb-swtpm-test': [io, tpmemu_files],
diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index e40b408988..744a9f8123 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -23,9 +23,13 @@
#include "qapi/qapi-visit-sockets.h"
#include "qapi/qobject-input-visitor.h"
#include "qapi/qobject-output-visitor.h"
+#include "crypto/tlscredspsk.h"
#include "migration-helpers.h"
#include "tests/migration/migration-test.h"
+#ifdef CONFIG_GNUTLS
+# include "tests/unit/crypto-tls-psk-helpers.h"
+#endif
/* For dirty ring test; so far only x86_64 is supported */
#if defined(__linux__) && defined(HOST_X86_64)
@@ -658,6 +662,100 @@ static void test_migrate_end(QTestState *from, QTestState *to, bool test_dest)
cleanup("dest_serial");
}
+#ifdef CONFIG_GNUTLS
+struct TestMigrateTLSPSKData {
+ char *workdir;
+ char *workdiralt;
+ char *pskfile;
+ char *pskfilealt;
+};
+
+static void *
+test_migrate_tls_psk_start_common(QTestState *from,
+ QTestState *to,
+ bool mismatch)
+{
+ struct TestMigrateTLSPSKData *data =
+ g_new0(struct TestMigrateTLSPSKData, 1);
+ QDict *rsp;
+
+ data->workdir = g_strdup_printf("%s/tlscredspsk0", tmpfs);
+ data->pskfile = g_strdup_printf("%s/%s", data->workdir,
+ QCRYPTO_TLS_CREDS_PSKFILE);
+ mkdir(data->workdir, 0700);
+ test_tls_psk_init(data->pskfile);
+
+ if (mismatch) {
+ data->workdiralt = g_strdup_printf("%s/tlscredspskalt0", tmpfs);
+ data->pskfilealt = g_strdup_printf("%s/%s", data->workdiralt,
+ QCRYPTO_TLS_CREDS_PSKFILE);
+ mkdir(data->workdiralt, 0700);
+ test_tls_psk_init_alt(data->pskfilealt);
+ }
+
+ rsp = wait_command(from,
+ "{ 'execute': 'object-add',"
+ " 'arguments': { 'qom-type': 'tls-creds-psk',"
+ " 'id': 'tlscredspsk0',"
+ " 'endpoint': 'client',"
+ " 'dir': %s,"
+ " 'username': 'qemu'} }",
+ data->workdir);
+ qobject_unref(rsp);
+
+ rsp = wait_command(to,
+ "{ 'execute': 'object-add',"
+ " 'arguments': { 'qom-type': 'tls-creds-psk',"
+ " 'id': 'tlscredspsk0',"
+ " 'endpoint': 'server',"
+ " 'dir': %s } }",
+ mismatch ? data->workdiralt : data->workdir);
+ qobject_unref(rsp);
+
+ migrate_set_parameter_str(from, "tls-creds", "tlscredspsk0");
+ migrate_set_parameter_str(to, "tls-creds", "tlscredspsk0");
+
+ return data;
+}
+
+static void *
+test_migrate_tls_psk_start_match(QTestState *from,
+ QTestState *to)
+{
+ return test_migrate_tls_psk_start_common(from, to, false);
+}
+
+static void *
+test_migrate_tls_psk_start_mismatch(QTestState *from,
+ QTestState *to)
+{
+ return test_migrate_tls_psk_start_common(from, to, true);
+}
+
+static void
+test_migrate_tls_psk_finish(QTestState *from,
+ QTestState *to,
+ void *opaque)
+{
+ struct TestMigrateTLSPSKData *data = opaque;
+
+ test_tls_psk_cleanup(data->pskfile);
+ if (data->pskfilealt) {
+ test_tls_psk_cleanup(data->pskfilealt);
+ }
+ rmdir(data->workdir);
+ if (data->workdiralt) {
+ rmdir(data->workdiralt);
+ }
+
+ g_free(data->workdiralt);
+ g_free(data->pskfilealt);
+ g_free(data->workdir);
+ g_free(data->pskfile);
+ g_free(data);
+}
+#endif /* CONFIG_GNUTLS */
+
static int migrate_postcopy_prepare(QTestState **from_ptr,
QTestState **to_ptr,
MigrateStart *args)
@@ -918,27 +1016,45 @@ static void test_precopy_common(const char *listen_uri,
test_migrate_end(from, to, !expect_fail);
}
-static void test_precopy_unix_common(bool dirty_ring)
+
+static void test_precopy_unix_common(TestMigrateStartHook start_hook,
+ TestMigrateFinishHook finish_hook,
+ bool expect_fail,
+ bool dirty_ring)
{
g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
test_precopy_common(uri,
uri,
- NULL, /* start_hook */
- NULL, /* finish_hook */
- false, /* expect_fail */
+ start_hook,
+ finish_hook,
+ expect_fail,
false, /* dst_quit */
dirty_ring);
}
-static void test_precopy_unix(void)
+static void test_precopy_unix_plain(void)
{
- test_precopy_unix_common(false /* dirty_ring */);
+ test_precopy_unix_common(NULL, /* start_hook */
+ NULL, /* finish_hook */
+ false, /* expect_fail */
+ false /* dirty_ring */);
+}
+
+static void test_precopy_unix_tls_psk(void)
+{
+ test_precopy_unix_common(test_migrate_tls_psk_start_match,
+ test_migrate_tls_psk_finish,
+ false, /* expect_fail */
+ false /* dirty_ring */);
}
static void test_precopy_unix_dirty_ring(void)
{
- test_precopy_unix_common(true /* dirty_ring */);
+ test_precopy_unix_common(NULL, /* start_hook */
+ NULL, /* finish_hook */
+ false, /* clientReject */
+ true /* dirty_ring */);
}
#if 0
@@ -1031,17 +1147,43 @@ static void test_xbzrle_unix(void)
test_xbzrle(uri);
}
-static void test_precopy_tcp(void)
+static void test_precopy_tcp_common(TestMigrateStartHook start_hook,
+ TestMigrateFinishHook finish_hook,
+ bool expect_fail)
{
test_precopy_common("tcp:127.0.0.1:0",
NULL, /* connect_uri */
- NULL, /* start_hook */
- NULL, /* finish_hook */
- false, /* expect_fail */
+ start_hook,
+ finish_hook,
+ expect_fail,
false, /* dst_quit */
false /* dirty_ring */);
}
+
+static void test_precopy_tcp_plain(void)
+{
+ test_precopy_tcp_common(NULL, /* start_hook */
+ NULL, /* finish_hook */
+ false /* expect_fail */);
+}
+
+#ifdef CONFIG_GNUTLS
+static void test_precopy_tcp_tls_psk_match(void)
+{
+ test_precopy_tcp_common(test_migrate_tls_psk_start_match,
+ test_migrate_tls_psk_finish,
+ false /* expect_fail */);
+}
+
+static void test_precopy_tcp_tls_psk_mismatch(void)
+{
+ test_precopy_tcp_common(test_migrate_tls_psk_start_mismatch,
+ test_migrate_tls_psk_finish,
+ true /* expect_fail */);
+}
+#endif /* CONFIG_GNUTLS */
+
static void *test_migrate_fd_start_hook(QTestState *from,
QTestState *to)
{
@@ -1505,8 +1647,20 @@ int main(int argc, char **argv)
qtest_add_func("/migration/postcopy/unix", test_postcopy);
qtest_add_func("/migration/postcopy/recovery", test_postcopy_recovery);
qtest_add_func("/migration/bad_dest", test_baddest);
- qtest_add_func("/migration/precopy/unix", test_precopy_unix);
- qtest_add_func("/migration/precopy/tcp", test_precopy_tcp);
+ qtest_add_func("/migration/precopy/unix/plain", test_precopy_unix_plain);
+#ifdef CONFIG_GNUTLS
+ qtest_add_func("/migration/precopy/unix/tls/psk",
+ test_precopy_unix_tls_psk);
+#endif /* CONFIG_GNUTLS */
+
+ qtest_add_func("/migration/precopy/tcp/plain", test_precopy_tcp_plain);
+#ifdef CONFIG_GNUTLS
+ qtest_add_func("/migration/precopy/tcp/tls/psk/match",
+ test_precopy_tcp_tls_psk_match);
+ qtest_add_func("/migration/precopy/tcp/tls/psk/mismatch",
+ test_precopy_tcp_tls_psk_mismatch);
+#endif /* CONFIG_GNUTLS */
+
/* qtest_add_func("/migration/ignore_shared", test_ignore_shared); */
qtest_add_func("/migration/xbzrle/unix", test_xbzrle_unix);
qtest_add_func("/migration/fd_proto", test_migrate_fd_proto);
diff --git a/tests/unit/crypto-tls-psk-helpers.c b/tests/unit/crypto-tls-psk-helpers.c
index 4bea7c6fa2..511e08cc9c 100644
--- a/tests/unit/crypto-tls-psk-helpers.c
+++ b/tests/unit/crypto-tls-psk-helpers.c
@@ -24,7 +24,8 @@
#include "crypto-tls-psk-helpers.h"
#include "qemu/sockets.h"
-void test_tls_psk_init(const char *pskfile)
+static void
+test_tls_psk_init_common(const char *pskfile, const char *user, const char *key)
{
FILE *fp;
@@ -33,11 +34,22 @@ void test_tls_psk_init(const char *pskfile)
g_critical("Failed to create pskfile %s: %s", pskfile, strerror(errno));
abort();
}
- /* Don't do this in real applications! Use psktool. */
- fprintf(fp, "qemu:009d5638c40fde0c\n");
+ fprintf(fp, "%s:%s\n", user, key);
fclose(fp);
}
+void test_tls_psk_init(const char *pskfile)
+{
+ /* Don't hard code a key like this in real applications! Use psktool. */
+ test_tls_psk_init_common(pskfile, "qemu", "009d5638c40fde0c");
+}
+
+void test_tls_psk_init_alt(const char *pskfile)
+{
+ /* Don't hard code a key like this in real applications! Use psktool. */
+ test_tls_psk_init_common(pskfile, "qemu", "10ffa6a2c42f0388");
+}
+
void test_tls_psk_cleanup(const char *pskfile)
{
unlink(pskfile);
diff --git a/tests/unit/crypto-tls-psk-helpers.h b/tests/unit/crypto-tls-psk-helpers.h
index faa645c629..67f8bdda71 100644
--- a/tests/unit/crypto-tls-psk-helpers.h
+++ b/tests/unit/crypto-tls-psk-helpers.h
@@ -24,6 +24,7 @@
#include <gnutls/gnutls.h>
void test_tls_psk_init(const char *keyfile);
+void test_tls_psk_init_alt(const char *keyfile);
void test_tls_psk_cleanup(const char *keyfile);
#endif
--
2.34.1
next prev parent reply other threads:[~2022-03-02 17:57 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-02 17:49 [PATCH 00/18] tests: introduce testing coverage for TLS with migration Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 01/18] tests: fix encoding of IP addresses in x509 certs Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 02/18] tests: improve error message when saving TLS PSK file fails Daniel P. Berrangé
2022-03-07 6:52 ` Peter Xu
2022-03-02 17:49 ` [PATCH 03/18] tests: support QTEST_TRACE env variable Daniel P. Berrangé
2022-03-07 6:53 ` Peter Xu
2022-03-07 10:06 ` Thomas Huth
2022-03-02 17:49 ` [PATCH 04/18] tests: print newline after QMP response in qtest logs Daniel P. Berrangé
2022-03-07 6:51 ` Peter Xu
2022-03-07 10:06 ` Daniel P. Berrangé
2022-03-07 10:09 ` Thomas Huth
2022-03-07 10:20 ` Peter Xu
2022-03-10 10:55 ` Daniel P. Berrangé
2022-03-10 11:11 ` Marc-André Lureau
2022-03-10 11:35 ` Daniel P. Berrangé
2022-03-10 11:50 ` Marc-André Lureau
2022-03-10 12:02 ` Daniel P. Berrangé
2022-03-10 11:53 ` Marc-André Lureau
2022-03-10 12:08 ` Thomas Huth
2022-03-10 13:35 ` Dr. David Alan Gilbert
2022-03-02 17:49 ` [PATCH 05/18] tests: add more helper macros for creating TLS x509 certs Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 06/18] crypto: mandate a hostname when checking x509 creds on a client Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 07/18] migration: fix use of TLS PSK credentials with a UNIX socket Daniel P. Berrangé
2022-03-07 7:08 ` Peter Xu
2022-03-07 10:08 ` Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 08/18] tests: merge code for UNIX and TCP migration pre-copy tests Daniel P. Berrangé
2022-03-07 7:16 ` Peter Xu
2022-03-07 10:11 ` Thomas Huth
2022-03-10 11:00 ` Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 09/18] tests: introduce ability to provide hooks for migration precopy test Daniel P. Berrangé
2022-03-07 7:19 ` Peter Xu
2022-03-02 17:49 ` [PATCH 10/18] tests: switch migration FD passing test to use common precopy helper Daniel P. Berrangé
2022-03-07 7:22 ` Peter Xu
2022-03-02 17:49 ` [PATCH 11/18] tests: expand the migration precopy helper to support failures Daniel P. Berrangé
2022-03-07 7:39 ` Peter Xu
2022-03-07 10:10 ` Daniel P. Berrangé
2022-03-07 7:57 ` Peter Xu
2022-03-10 16:18 ` Daniel P. Berrangé
2022-03-02 17:49 ` Daniel P. Berrangé [this message]
2022-03-07 10:12 ` [PATCH 12/18] tests: add migration tests of TLS with PSK credentials Thomas Huth
2022-03-02 17:49 ` [PATCH 13/18] tests: add migration tests of TLS with x509 credentials Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 14/18] tests: convert XBZRLE migration test to use common helper Daniel P. Berrangé
2022-03-07 8:01 ` Peter Xu
2022-03-02 17:49 ` [PATCH 15/18] tests: convert multifd migration tests " Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 16/18] tests: add multifd migration tests of TLS with PSK credentials Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 17/18] tests: add multifd migration tests of TLS with x509 credentials Daniel P. Berrangé
2022-03-02 17:49 ` [PATCH 18/18] tests: ensure migration status isn't reported as failed Daniel P. Berrangé
2022-03-07 8:09 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220302174932.2692378-13-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).