1 /* 2 * QTest testcases for TLS migration 3 * 4 * Copyright (c) 2016-2018 Red Hat, Inc. and/or its affiliates 5 * based on the vhost-user-test.c that is: 6 * Copyright (c) 2014 Virtual Open Systems Sarl. 7 * 8 * This work is licensed under the terms of the GNU GPL, version 2 or later. 9 * See the COPYING file in the top-level directory. 10 * 11 */ 12 13 #include "qemu/osdep.h" 14 #include "crypto/tlscredspsk.h" 15 #include "libqtest.h" 16 #include "migration/framework.h" 17 #include "migration/migration-qmp.h" 18 #include "migration/migration-util.h" 19 20 #include "tests/unit/crypto-tls-psk-helpers.h" 21 #ifdef CONFIG_TASN1 22 # include "tests/unit/crypto-tls-x509-helpers.h" 23 #endif /* CONFIG_TASN1 */ 24 25 26 struct TestMigrateTLSPSKData { 27 char *workdir; 28 char *workdiralt; 29 char *pskfile; 30 char *pskfilealt; 31 }; 32 33 static char *tmpfs; 34 35 static void * 36 migrate_hook_start_tls_psk_common(QTestState *from, 37 QTestState *to, 38 bool mismatch) 39 { 40 struct TestMigrateTLSPSKData *data = 41 g_new0(struct TestMigrateTLSPSKData, 1); 42 43 data->workdir = g_strdup_printf("%s/tlscredspsk0", tmpfs); 44 data->pskfile = g_strdup_printf("%s/%s", data->workdir, 45 QCRYPTO_TLS_CREDS_PSKFILE); 46 g_mkdir_with_parents(data->workdir, 0700); 47 test_tls_psk_init(data->pskfile); 48 49 if (mismatch) { 50 data->workdiralt = g_strdup_printf("%s/tlscredspskalt0", tmpfs); 51 data->pskfilealt = g_strdup_printf("%s/%s", data->workdiralt, 52 QCRYPTO_TLS_CREDS_PSKFILE); 53 g_mkdir_with_parents(data->workdiralt, 0700); 54 test_tls_psk_init_alt(data->pskfilealt); 55 } 56 57 qtest_qmp_assert_success(from, 58 "{ 'execute': 'object-add'," 59 " 'arguments': { 'qom-type': 'tls-creds-psk'," 60 " 'id': 'tlscredspsk0'," 61 " 'endpoint': 'client'," 62 " 'dir': %s," 63 " 'username': 'qemu'} }", 64 data->workdir); 65 66 qtest_qmp_assert_success(to, 67 "{ 'execute': 'object-add'," 68 " 'arguments': { 'qom-type': 'tls-creds-psk'," 69 " 'id': 'tlscredspsk0'," 70 " 'endpoint': 'server'," 71 " 'dir': %s } }", 72 mismatch ? data->workdiralt : data->workdir); 73 74 migrate_set_parameter_str(from, "tls-creds", "tlscredspsk0"); 75 migrate_set_parameter_str(to, "tls-creds", "tlscredspsk0"); 76 77 return data; 78 } 79 80 static void * 81 migrate_hook_start_tls_psk_match(QTestState *from, 82 QTestState *to) 83 { 84 return migrate_hook_start_tls_psk_common(from, to, false); 85 } 86 87 static void * 88 migrate_hook_start_tls_psk_mismatch(QTestState *from, 89 QTestState *to) 90 { 91 return migrate_hook_start_tls_psk_common(from, to, true); 92 } 93 94 static void 95 migrate_hook_end_tls_psk(QTestState *from, 96 QTestState *to, 97 void *opaque) 98 { 99 struct TestMigrateTLSPSKData *data = opaque; 100 101 test_tls_psk_cleanup(data->pskfile); 102 if (data->pskfilealt) { 103 test_tls_psk_cleanup(data->pskfilealt); 104 } 105 rmdir(data->workdir); 106 if (data->workdiralt) { 107 rmdir(data->workdiralt); 108 } 109 110 g_free(data->workdiralt); 111 g_free(data->pskfilealt); 112 g_free(data->workdir); 113 g_free(data->pskfile); 114 g_free(data); 115 } 116 117 #ifdef CONFIG_TASN1 118 typedef struct { 119 char *workdir; 120 char *keyfile; 121 char *cacert; 122 char *servercert; 123 char *serverkey; 124 char *clientcert; 125 char *clientkey; 126 } TestMigrateTLSX509Data; 127 128 typedef struct { 129 bool verifyclient; 130 bool clientcert; 131 bool hostileclient; 132 bool authzclient; 133 const char *certhostname; 134 const char *certipaddr; 135 } TestMigrateTLSX509; 136 137 static void * 138 migrate_hook_start_tls_x509_common(QTestState *from, 139 QTestState *to, 140 TestMigrateTLSX509 *args) 141 { 142 TestMigrateTLSX509Data *data = g_new0(TestMigrateTLSX509Data, 1); 143 144 data->workdir = g_strdup_printf("%s/tlscredsx5090", tmpfs); 145 data->keyfile = g_strdup_printf("%s/key.pem", data->workdir); 146 147 data->cacert = g_strdup_printf("%s/ca-cert.pem", data->workdir); 148 data->serverkey = g_strdup_printf("%s/server-key.pem", data->workdir); 149 data->servercert = g_strdup_printf("%s/server-cert.pem", data->workdir); 150 if (args->clientcert) { 151 data->clientkey = g_strdup_printf("%s/client-key.pem", data->workdir); 152 data->clientcert = g_strdup_printf("%s/client-cert.pem", data->workdir); 153 } 154 155 g_mkdir_with_parents(data->workdir, 0700); 156 157 test_tls_init(data->keyfile); 158 #ifndef _WIN32 159 g_assert(link(data->keyfile, data->serverkey) == 0); 160 #else 161 g_assert(CreateHardLink(data->serverkey, data->keyfile, NULL) != 0); 162 #endif 163 if (args->clientcert) { 164 #ifndef _WIN32 165 g_assert(link(data->keyfile, data->clientkey) == 0); 166 #else 167 g_assert(CreateHardLink(data->clientkey, data->keyfile, NULL) != 0); 168 #endif 169 } 170 171 TLS_ROOT_REQ_SIMPLE(cacertreq, data->cacert); 172 if (args->clientcert) { 173 TLS_CERT_REQ_SIMPLE_CLIENT(servercertreq, cacertreq, 174 args->hostileclient ? 175 QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME : 176 QCRYPTO_TLS_TEST_CLIENT_NAME, 177 data->clientcert); 178 test_tls_deinit_cert(&servercertreq); 179 } 180 181 TLS_CERT_REQ_SIMPLE_SERVER(clientcertreq, cacertreq, 182 data->servercert, 183 args->certhostname, 184 args->certipaddr); 185 test_tls_deinit_cert(&clientcertreq); 186 test_tls_deinit_cert(&cacertreq); 187 188 qtest_qmp_assert_success(from, 189 "{ 'execute': 'object-add'," 190 " 'arguments': { 'qom-type': 'tls-creds-x509'," 191 " 'id': 'tlscredsx509client0'," 192 " 'endpoint': 'client'," 193 " 'dir': %s," 194 " 'sanity-check': true," 195 " 'verify-peer': true} }", 196 data->workdir); 197 migrate_set_parameter_str(from, "tls-creds", "tlscredsx509client0"); 198 if (args->certhostname) { 199 migrate_set_parameter_str(from, "tls-hostname", args->certhostname); 200 } 201 202 qtest_qmp_assert_success(to, 203 "{ 'execute': 'object-add'," 204 " 'arguments': { 'qom-type': 'tls-creds-x509'," 205 " 'id': 'tlscredsx509server0'," 206 " 'endpoint': 'server'," 207 " 'dir': %s," 208 " 'sanity-check': true," 209 " 'verify-peer': %i} }", 210 data->workdir, args->verifyclient); 211 migrate_set_parameter_str(to, "tls-creds", "tlscredsx509server0"); 212 213 if (args->authzclient) { 214 qtest_qmp_assert_success(to, 215 "{ 'execute': 'object-add'," 216 " 'arguments': { 'qom-type': 'authz-simple'," 217 " 'id': 'tlsauthz0'," 218 " 'identity': %s} }", 219 "CN=" QCRYPTO_TLS_TEST_CLIENT_NAME); 220 migrate_set_parameter_str(to, "tls-authz", "tlsauthz0"); 221 } 222 223 return data; 224 } 225 226 /* 227 * The normal case: match server's cert hostname against 228 * whatever host we were telling QEMU to connect to (if any) 229 */ 230 static void * 231 migrate_hook_start_tls_x509_default_host(QTestState *from, 232 QTestState *to) 233 { 234 TestMigrateTLSX509 args = { 235 .verifyclient = true, 236 .clientcert = true, 237 .certipaddr = "127.0.0.1" 238 }; 239 return migrate_hook_start_tls_x509_common(from, to, &args); 240 } 241 242 /* 243 * The unusual case: the server's cert is different from 244 * the address we're telling QEMU to connect to (if any), 245 * so we must give QEMU an explicit hostname to validate 246 */ 247 static void * 248 migrate_hook_start_tls_x509_override_host(QTestState *from, 249 QTestState *to) 250 { 251 TestMigrateTLSX509 args = { 252 .verifyclient = true, 253 .clientcert = true, 254 .certhostname = "qemu.org", 255 }; 256 return migrate_hook_start_tls_x509_common(from, to, &args); 257 } 258 259 /* 260 * The unusual case: the server's cert is different from 261 * the address we're telling QEMU to connect to, and so we 262 * expect the client to reject the server 263 */ 264 static void * 265 migrate_hook_start_tls_x509_mismatch_host(QTestState *from, 266 QTestState *to) 267 { 268 TestMigrateTLSX509 args = { 269 .verifyclient = true, 270 .clientcert = true, 271 .certipaddr = "10.0.0.1", 272 }; 273 return migrate_hook_start_tls_x509_common(from, to, &args); 274 } 275 276 static void * 277 migrate_hook_start_tls_x509_friendly_client(QTestState *from, 278 QTestState *to) 279 { 280 TestMigrateTLSX509 args = { 281 .verifyclient = true, 282 .clientcert = true, 283 .authzclient = true, 284 .certipaddr = "127.0.0.1", 285 }; 286 return migrate_hook_start_tls_x509_common(from, to, &args); 287 } 288 289 static void * 290 migrate_hook_start_tls_x509_hostile_client(QTestState *from, 291 QTestState *to) 292 { 293 TestMigrateTLSX509 args = { 294 .verifyclient = true, 295 .clientcert = true, 296 .hostileclient = true, 297 .authzclient = true, 298 .certipaddr = "127.0.0.1", 299 }; 300 return migrate_hook_start_tls_x509_common(from, to, &args); 301 } 302 303 /* 304 * The case with no client certificate presented, 305 * and no server verification 306 */ 307 static void * 308 migrate_hook_start_tls_x509_allow_anon_client(QTestState *from, 309 QTestState *to) 310 { 311 TestMigrateTLSX509 args = { 312 .certipaddr = "127.0.0.1", 313 }; 314 return migrate_hook_start_tls_x509_common(from, to, &args); 315 } 316 317 /* 318 * The case with no client certificate presented, 319 * and server verification rejecting 320 */ 321 static void * 322 migrate_hook_start_tls_x509_reject_anon_client(QTestState *from, 323 QTestState *to) 324 { 325 TestMigrateTLSX509 args = { 326 .verifyclient = true, 327 .certipaddr = "127.0.0.1", 328 }; 329 return migrate_hook_start_tls_x509_common(from, to, &args); 330 } 331 332 static void 333 migrate_hook_end_tls_x509(QTestState *from, 334 QTestState *to, 335 void *opaque) 336 { 337 TestMigrateTLSX509Data *data = opaque; 338 339 test_tls_cleanup(data->keyfile); 340 g_free(data->keyfile); 341 342 unlink(data->cacert); 343 g_free(data->cacert); 344 unlink(data->servercert); 345 g_free(data->servercert); 346 unlink(data->serverkey); 347 g_free(data->serverkey); 348 349 if (data->clientcert) { 350 unlink(data->clientcert); 351 g_free(data->clientcert); 352 } 353 if (data->clientkey) { 354 unlink(data->clientkey); 355 g_free(data->clientkey); 356 } 357 358 rmdir(data->workdir); 359 g_free(data->workdir); 360 361 g_free(data); 362 } 363 #endif /* CONFIG_TASN1 */ 364 365 static void test_postcopy_tls_psk(void) 366 { 367 MigrateCommon args = { 368 .start_hook = migrate_hook_start_tls_psk_match, 369 .end_hook = migrate_hook_end_tls_psk, 370 }; 371 372 test_postcopy_common(&args); 373 } 374 375 static void test_postcopy_preempt_tls_psk(void) 376 { 377 MigrateCommon args = { 378 .start_hook = migrate_hook_start_tls_psk_match, 379 .end_hook = migrate_hook_end_tls_psk, 380 .start = { 381 .caps[MIGRATION_CAPABILITY_POSTCOPY_PREEMPT] = true, 382 }, 383 }; 384 385 test_postcopy_common(&args); 386 } 387 388 static void test_postcopy_recovery_tls_psk(void) 389 { 390 MigrateCommon args = { 391 .start_hook = migrate_hook_start_tls_psk_match, 392 .end_hook = migrate_hook_end_tls_psk, 393 }; 394 395 test_postcopy_recovery_common(&args); 396 } 397 398 /* This contains preempt+recovery+tls test altogether */ 399 static void test_postcopy_preempt_all(void) 400 { 401 MigrateCommon args = { 402 .start_hook = migrate_hook_start_tls_psk_match, 403 .end_hook = migrate_hook_end_tls_psk, 404 .start = { 405 .caps[MIGRATION_CAPABILITY_POSTCOPY_PREEMPT] = true, 406 }, 407 }; 408 409 test_postcopy_recovery_common(&args); 410 } 411 412 static void test_precopy_unix_tls_psk(void) 413 { 414 g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs); 415 MigrateCommon args = { 416 .connect_uri = uri, 417 .listen_uri = uri, 418 .start_hook = migrate_hook_start_tls_psk_match, 419 .end_hook = migrate_hook_end_tls_psk, 420 }; 421 422 test_precopy_common(&args); 423 } 424 425 #ifdef CONFIG_TASN1 426 static void test_precopy_unix_tls_x509_default_host(void) 427 { 428 g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs); 429 MigrateCommon args = { 430 .start = { 431 .hide_stderr = true, 432 }, 433 .connect_uri = uri, 434 .listen_uri = uri, 435 .start_hook = migrate_hook_start_tls_x509_default_host, 436 .end_hook = migrate_hook_end_tls_x509, 437 .result = MIG_TEST_FAIL_DEST_QUIT_ERR, 438 }; 439 440 test_precopy_common(&args); 441 } 442 443 static void test_precopy_unix_tls_x509_override_host(void) 444 { 445 g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs); 446 MigrateCommon args = { 447 .connect_uri = uri, 448 .listen_uri = uri, 449 .start_hook = migrate_hook_start_tls_x509_override_host, 450 .end_hook = migrate_hook_end_tls_x509, 451 }; 452 453 test_precopy_common(&args); 454 } 455 #endif /* CONFIG_TASN1 */ 456 457 static void test_precopy_tcp_tls_psk_match(void) 458 { 459 MigrateCommon args = { 460 .listen_uri = "tcp:127.0.0.1:0", 461 .start_hook = migrate_hook_start_tls_psk_match, 462 .end_hook = migrate_hook_end_tls_psk, 463 }; 464 465 test_precopy_common(&args); 466 } 467 468 static void test_precopy_tcp_tls_psk_mismatch(void) 469 { 470 MigrateCommon args = { 471 .start = { 472 .hide_stderr = true, 473 }, 474 .listen_uri = "tcp:127.0.0.1:0", 475 .start_hook = migrate_hook_start_tls_psk_mismatch, 476 .end_hook = migrate_hook_end_tls_psk, 477 .result = MIG_TEST_FAIL, 478 }; 479 480 test_precopy_common(&args); 481 } 482 483 #ifdef CONFIG_TASN1 484 static void test_precopy_tcp_tls_x509_default_host(void) 485 { 486 MigrateCommon args = { 487 .listen_uri = "tcp:127.0.0.1:0", 488 .start_hook = migrate_hook_start_tls_x509_default_host, 489 .end_hook = migrate_hook_end_tls_x509, 490 }; 491 492 test_precopy_common(&args); 493 } 494 495 static void test_precopy_tcp_tls_x509_override_host(void) 496 { 497 MigrateCommon args = { 498 .listen_uri = "tcp:127.0.0.1:0", 499 .start_hook = migrate_hook_start_tls_x509_override_host, 500 .end_hook = migrate_hook_end_tls_x509, 501 }; 502 503 test_precopy_common(&args); 504 } 505 506 static void test_precopy_tcp_tls_x509_mismatch_host(void) 507 { 508 MigrateCommon args = { 509 .start = { 510 .hide_stderr = true, 511 }, 512 .listen_uri = "tcp:127.0.0.1:0", 513 .start_hook = migrate_hook_start_tls_x509_mismatch_host, 514 .end_hook = migrate_hook_end_tls_x509, 515 .result = MIG_TEST_FAIL_DEST_QUIT_ERR, 516 }; 517 518 test_precopy_common(&args); 519 } 520 521 static void test_precopy_tcp_tls_x509_friendly_client(void) 522 { 523 MigrateCommon args = { 524 .listen_uri = "tcp:127.0.0.1:0", 525 .start_hook = migrate_hook_start_tls_x509_friendly_client, 526 .end_hook = migrate_hook_end_tls_x509, 527 }; 528 529 test_precopy_common(&args); 530 } 531 532 static void test_precopy_tcp_tls_x509_hostile_client(void) 533 { 534 MigrateCommon args = { 535 .start = { 536 .hide_stderr = true, 537 }, 538 .listen_uri = "tcp:127.0.0.1:0", 539 .start_hook = migrate_hook_start_tls_x509_hostile_client, 540 .end_hook = migrate_hook_end_tls_x509, 541 .result = MIG_TEST_FAIL, 542 }; 543 544 test_precopy_common(&args); 545 } 546 547 static void test_precopy_tcp_tls_x509_allow_anon_client(void) 548 { 549 MigrateCommon args = { 550 .listen_uri = "tcp:127.0.0.1:0", 551 .start_hook = migrate_hook_start_tls_x509_allow_anon_client, 552 .end_hook = migrate_hook_end_tls_x509, 553 }; 554 555 test_precopy_common(&args); 556 } 557 558 static void test_precopy_tcp_tls_x509_reject_anon_client(void) 559 { 560 MigrateCommon args = { 561 .start = { 562 .hide_stderr = true, 563 }, 564 .listen_uri = "tcp:127.0.0.1:0", 565 .start_hook = migrate_hook_start_tls_x509_reject_anon_client, 566 .end_hook = migrate_hook_end_tls_x509, 567 .result = MIG_TEST_FAIL, 568 }; 569 570 test_precopy_common(&args); 571 } 572 #endif /* CONFIG_TASN1 */ 573 574 static void * 575 migrate_hook_start_multifd_tcp_tls_psk_match(QTestState *from, 576 QTestState *to) 577 { 578 migrate_hook_start_precopy_tcp_multifd_common(from, to, "none"); 579 return migrate_hook_start_tls_psk_match(from, to); 580 } 581 582 static void * 583 migrate_hook_start_multifd_tcp_tls_psk_mismatch(QTestState *from, 584 QTestState *to) 585 { 586 migrate_hook_start_precopy_tcp_multifd_common(from, to, "none"); 587 return migrate_hook_start_tls_psk_mismatch(from, to); 588 } 589 590 #ifdef CONFIG_TASN1 591 static void * 592 migrate_hook_start_multifd_tls_x509_default_host(QTestState *from, 593 QTestState *to) 594 { 595 migrate_hook_start_precopy_tcp_multifd_common(from, to, "none"); 596 return migrate_hook_start_tls_x509_default_host(from, to); 597 } 598 599 static void * 600 migrate_hook_start_multifd_tls_x509_override_host(QTestState *from, 601 QTestState *to) 602 { 603 migrate_hook_start_precopy_tcp_multifd_common(from, to, "none"); 604 return migrate_hook_start_tls_x509_override_host(from, to); 605 } 606 607 static void * 608 migrate_hook_start_multifd_tls_x509_mismatch_host(QTestState *from, 609 QTestState *to) 610 { 611 migrate_hook_start_precopy_tcp_multifd_common(from, to, "none"); 612 return migrate_hook_start_tls_x509_mismatch_host(from, to); 613 } 614 615 static void * 616 migrate_hook_start_multifd_tls_x509_allow_anon_client(QTestState *from, 617 QTestState *to) 618 { 619 migrate_hook_start_precopy_tcp_multifd_common(from, to, "none"); 620 return migrate_hook_start_tls_x509_allow_anon_client(from, to); 621 } 622 623 static void * 624 migrate_hook_start_multifd_tls_x509_reject_anon_client(QTestState *from, 625 QTestState *to) 626 { 627 migrate_hook_start_precopy_tcp_multifd_common(from, to, "none"); 628 return migrate_hook_start_tls_x509_reject_anon_client(from, to); 629 } 630 #endif /* CONFIG_TASN1 */ 631 632 static void test_multifd_tcp_tls_psk_match(void) 633 { 634 MigrateCommon args = { 635 .listen_uri = "defer", 636 .start_hook = migrate_hook_start_multifd_tcp_tls_psk_match, 637 .end_hook = migrate_hook_end_tls_psk, 638 .start = { 639 .caps[MIGRATION_CAPABILITY_MULTIFD] = true, 640 }, 641 }; 642 test_precopy_common(&args); 643 } 644 645 static void test_multifd_tcp_tls_psk_mismatch(void) 646 { 647 MigrateCommon args = { 648 .start = { 649 .hide_stderr = true, 650 .caps[MIGRATION_CAPABILITY_MULTIFD] = true, 651 }, 652 .listen_uri = "defer", 653 .start_hook = migrate_hook_start_multifd_tcp_tls_psk_mismatch, 654 .end_hook = migrate_hook_end_tls_psk, 655 .result = MIG_TEST_FAIL, 656 }; 657 test_precopy_common(&args); 658 } 659 660 #ifdef CONFIG_TASN1 661 static void test_multifd_tcp_tls_x509_default_host(void) 662 { 663 MigrateCommon args = { 664 .listen_uri = "defer", 665 .start_hook = migrate_hook_start_multifd_tls_x509_default_host, 666 .end_hook = migrate_hook_end_tls_x509, 667 .start = { 668 .caps[MIGRATION_CAPABILITY_MULTIFD] = true, 669 }, 670 }; 671 test_precopy_common(&args); 672 } 673 674 static void test_multifd_tcp_tls_x509_override_host(void) 675 { 676 MigrateCommon args = { 677 .listen_uri = "defer", 678 .start_hook = migrate_hook_start_multifd_tls_x509_override_host, 679 .end_hook = migrate_hook_end_tls_x509, 680 .start = { 681 .caps[MIGRATION_CAPABILITY_MULTIFD] = true, 682 }, 683 }; 684 test_precopy_common(&args); 685 } 686 687 static void test_multifd_tcp_tls_x509_mismatch_host(void) 688 { 689 /* 690 * This has different behaviour to the non-multifd case. 691 * 692 * In non-multifd case when client aborts due to mismatched 693 * cert host, the server has already started trying to load 694 * migration state, and so it exits with I/O failure. 695 * 696 * In multifd case when client aborts due to mismatched 697 * cert host, the server is still waiting for the other 698 * multifd connections to arrive so hasn't started trying 699 * to load migration state, and thus just aborts the migration 700 * without exiting. 701 */ 702 MigrateCommon args = { 703 .start = { 704 .hide_stderr = true, 705 .caps[MIGRATION_CAPABILITY_MULTIFD] = true, 706 }, 707 .listen_uri = "defer", 708 .start_hook = migrate_hook_start_multifd_tls_x509_mismatch_host, 709 .end_hook = migrate_hook_end_tls_x509, 710 .result = MIG_TEST_FAIL, 711 }; 712 test_precopy_common(&args); 713 } 714 715 static void test_multifd_tcp_tls_x509_allow_anon_client(void) 716 { 717 MigrateCommon args = { 718 .listen_uri = "defer", 719 .start_hook = migrate_hook_start_multifd_tls_x509_allow_anon_client, 720 .end_hook = migrate_hook_end_tls_x509, 721 .start = { 722 .caps[MIGRATION_CAPABILITY_MULTIFD] = true, 723 }, 724 }; 725 test_precopy_common(&args); 726 } 727 728 static void test_multifd_tcp_tls_x509_reject_anon_client(void) 729 { 730 MigrateCommon args = { 731 .start = { 732 .hide_stderr = true, 733 .caps[MIGRATION_CAPABILITY_MULTIFD] = true, 734 }, 735 .listen_uri = "defer", 736 .start_hook = migrate_hook_start_multifd_tls_x509_reject_anon_client, 737 .end_hook = migrate_hook_end_tls_x509, 738 .result = MIG_TEST_FAIL, 739 }; 740 test_precopy_common(&args); 741 } 742 #endif /* CONFIG_TASN1 */ 743 744 static void migration_test_add_tls_smoke(MigrationTestEnv *env) 745 { 746 migration_test_add("/migration/precopy/tcp/tls/psk/match", 747 test_precopy_tcp_tls_psk_match); 748 } 749 750 void migration_test_add_tls(MigrationTestEnv *env) 751 { 752 tmpfs = env->tmpfs; 753 754 migration_test_add_tls_smoke(env); 755 756 if (!env->full_set) { 757 return; 758 } 759 760 migration_test_add("/migration/precopy/unix/tls/psk", 761 test_precopy_unix_tls_psk); 762 763 if (env->has_uffd) { 764 /* 765 * NOTE: psk test is enough for postcopy, as other types of TLS 766 * channels are tested under precopy. Here what we want to test is the 767 * general postcopy path that has TLS channel enabled. 768 */ 769 migration_test_add("/migration/postcopy/tls/psk", 770 test_postcopy_tls_psk); 771 migration_test_add("/migration/postcopy/recovery/tls/psk", 772 test_postcopy_recovery_tls_psk); 773 migration_test_add("/migration/postcopy/preempt/tls/psk", 774 test_postcopy_preempt_tls_psk); 775 migration_test_add("/migration/postcopy/preempt/recovery/tls/psk", 776 test_postcopy_preempt_all); 777 } 778 #ifdef CONFIG_TASN1 779 migration_test_add("/migration/precopy/unix/tls/x509/default-host", 780 test_precopy_unix_tls_x509_default_host); 781 migration_test_add("/migration/precopy/unix/tls/x509/override-host", 782 test_precopy_unix_tls_x509_override_host); 783 #endif /* CONFIG_TASN1 */ 784 785 migration_test_add("/migration/precopy/tcp/tls/psk/mismatch", 786 test_precopy_tcp_tls_psk_mismatch); 787 #ifdef CONFIG_TASN1 788 migration_test_add("/migration/precopy/tcp/tls/x509/default-host", 789 test_precopy_tcp_tls_x509_default_host); 790 migration_test_add("/migration/precopy/tcp/tls/x509/override-host", 791 test_precopy_tcp_tls_x509_override_host); 792 migration_test_add("/migration/precopy/tcp/tls/x509/mismatch-host", 793 test_precopy_tcp_tls_x509_mismatch_host); 794 migration_test_add("/migration/precopy/tcp/tls/x509/friendly-client", 795 test_precopy_tcp_tls_x509_friendly_client); 796 migration_test_add("/migration/precopy/tcp/tls/x509/hostile-client", 797 test_precopy_tcp_tls_x509_hostile_client); 798 migration_test_add("/migration/precopy/tcp/tls/x509/allow-anon-client", 799 test_precopy_tcp_tls_x509_allow_anon_client); 800 migration_test_add("/migration/precopy/tcp/tls/x509/reject-anon-client", 801 test_precopy_tcp_tls_x509_reject_anon_client); 802 #endif /* CONFIG_TASN1 */ 803 804 migration_test_add("/migration/multifd/tcp/tls/psk/match", 805 test_multifd_tcp_tls_psk_match); 806 migration_test_add("/migration/multifd/tcp/tls/psk/mismatch", 807 test_multifd_tcp_tls_psk_mismatch); 808 #ifdef CONFIG_TASN1 809 migration_test_add("/migration/multifd/tcp/tls/x509/default-host", 810 test_multifd_tcp_tls_x509_default_host); 811 migration_test_add("/migration/multifd/tcp/tls/x509/override-host", 812 test_multifd_tcp_tls_x509_override_host); 813 migration_test_add("/migration/multifd/tcp/tls/x509/mismatch-host", 814 test_multifd_tcp_tls_x509_mismatch_host); 815 migration_test_add("/migration/multifd/tcp/tls/x509/allow-anon-client", 816 test_multifd_tcp_tls_x509_allow_anon_client); 817 migration_test_add("/migration/multifd/tcp/tls/x509/reject-anon-client", 818 test_multifd_tcp_tls_x509_reject_anon_client); 819 #endif /* CONFIG_TASN1 */ 820 } 821