xref: /openbmc/qemu/tests/qtest/migration/tls-tests.c (revision dc1424319311f86449c6825ceec2364ee645a363)
1 /*
2  * QTest testcases for TLS migration
3  *
4  * Copyright (c) 2016-2018 Red Hat, Inc. and/or its affiliates
5  *   based on the vhost-user-test.c that is:
6  *      Copyright (c) 2014 Virtual Open Systems Sarl.
7  *
8  * This work is licensed under the terms of the GNU GPL, version 2 or later.
9  * See the COPYING file in the top-level directory.
10  *
11  */
12 
13 #include "qemu/osdep.h"
14 #include "crypto/tlscredspsk.h"
15 #include "libqtest.h"
16 #include "migration/framework.h"
17 #include "migration/migration-qmp.h"
18 #include "migration/migration-util.h"
19 
20 #include "tests/unit/crypto-tls-psk-helpers.h"
21 #ifdef CONFIG_TASN1
22 # include "tests/unit/crypto-tls-x509-helpers.h"
23 #endif /* CONFIG_TASN1 */
24 
25 
26 struct TestMigrateTLSPSKData {
27     char *workdir;
28     char *workdiralt;
29     char *pskfile;
30     char *pskfilealt;
31 };
32 
33 static char *tmpfs;
34 
35 static void *
36 migrate_hook_start_tls_psk_common(QTestState *from,
37                                   QTestState *to,
38                                   bool mismatch)
39 {
40     struct TestMigrateTLSPSKData *data =
41         g_new0(struct TestMigrateTLSPSKData, 1);
42 
43     data->workdir = g_strdup_printf("%s/tlscredspsk0", tmpfs);
44     data->pskfile = g_strdup_printf("%s/%s", data->workdir,
45                                     QCRYPTO_TLS_CREDS_PSKFILE);
46     g_mkdir_with_parents(data->workdir, 0700);
47     test_tls_psk_init(data->pskfile);
48 
49     if (mismatch) {
50         data->workdiralt = g_strdup_printf("%s/tlscredspskalt0", tmpfs);
51         data->pskfilealt = g_strdup_printf("%s/%s", data->workdiralt,
52                                            QCRYPTO_TLS_CREDS_PSKFILE);
53         g_mkdir_with_parents(data->workdiralt, 0700);
54         test_tls_psk_init_alt(data->pskfilealt);
55     }
56 
57     qtest_qmp_assert_success(from,
58                              "{ 'execute': 'object-add',"
59                              "  'arguments': { 'qom-type': 'tls-creds-psk',"
60                              "                 'id': 'tlscredspsk0',"
61                              "                 'endpoint': 'client',"
62                              "                 'dir': %s,"
63                              "                 'username': 'qemu'} }",
64                              data->workdir);
65 
66     qtest_qmp_assert_success(to,
67                              "{ 'execute': 'object-add',"
68                              "  'arguments': { 'qom-type': 'tls-creds-psk',"
69                              "                 'id': 'tlscredspsk0',"
70                              "                 'endpoint': 'server',"
71                              "                 'dir': %s } }",
72                              mismatch ? data->workdiralt : data->workdir);
73 
74     migrate_set_parameter_str(from, "tls-creds", "tlscredspsk0");
75     migrate_set_parameter_str(to, "tls-creds", "tlscredspsk0");
76 
77     return data;
78 }
79 
80 static void *
81 migrate_hook_start_tls_psk_match(QTestState *from,
82                                  QTestState *to)
83 {
84     return migrate_hook_start_tls_psk_common(from, to, false);
85 }
86 
87 static void *
88 migrate_hook_start_tls_psk_mismatch(QTestState *from,
89                                     QTestState *to)
90 {
91     return migrate_hook_start_tls_psk_common(from, to, true);
92 }
93 
94 static void
95 migrate_hook_end_tls_psk(QTestState *from,
96                          QTestState *to,
97                          void *opaque)
98 {
99     struct TestMigrateTLSPSKData *data = opaque;
100 
101     test_tls_psk_cleanup(data->pskfile);
102     if (data->pskfilealt) {
103         test_tls_psk_cleanup(data->pskfilealt);
104     }
105     rmdir(data->workdir);
106     if (data->workdiralt) {
107         rmdir(data->workdiralt);
108     }
109 
110     g_free(data->workdiralt);
111     g_free(data->pskfilealt);
112     g_free(data->workdir);
113     g_free(data->pskfile);
114     g_free(data);
115 }
116 
117 #ifdef CONFIG_TASN1
118 typedef struct {
119     char *workdir;
120     char *keyfile;
121     char *cacert;
122     char *servercert;
123     char *serverkey;
124     char *clientcert;
125     char *clientkey;
126 } TestMigrateTLSX509Data;
127 
128 typedef struct {
129     bool verifyclient;
130     bool clientcert;
131     bool hostileclient;
132     bool authzclient;
133     const char *certhostname;
134     const char *certipaddr;
135 } TestMigrateTLSX509;
136 
137 static void *
138 migrate_hook_start_tls_x509_common(QTestState *from,
139                                    QTestState *to,
140                                    TestMigrateTLSX509 *args)
141 {
142     TestMigrateTLSX509Data *data = g_new0(TestMigrateTLSX509Data, 1);
143 
144     data->workdir = g_strdup_printf("%s/tlscredsx5090", tmpfs);
145     data->keyfile = g_strdup_printf("%s/key.pem", data->workdir);
146 
147     data->cacert = g_strdup_printf("%s/ca-cert.pem", data->workdir);
148     data->serverkey = g_strdup_printf("%s/server-key.pem", data->workdir);
149     data->servercert = g_strdup_printf("%s/server-cert.pem", data->workdir);
150     if (args->clientcert) {
151         data->clientkey = g_strdup_printf("%s/client-key.pem", data->workdir);
152         data->clientcert = g_strdup_printf("%s/client-cert.pem", data->workdir);
153     }
154 
155     g_mkdir_with_parents(data->workdir, 0700);
156 
157     test_tls_init(data->keyfile);
158 #ifndef _WIN32
159     g_assert(link(data->keyfile, data->serverkey) == 0);
160 #else
161     g_assert(CreateHardLink(data->serverkey, data->keyfile, NULL) != 0);
162 #endif
163     if (args->clientcert) {
164 #ifndef _WIN32
165         g_assert(link(data->keyfile, data->clientkey) == 0);
166 #else
167         g_assert(CreateHardLink(data->clientkey, data->keyfile, NULL) != 0);
168 #endif
169     }
170 
171     TLS_ROOT_REQ_SIMPLE(cacertreq, data->cacert);
172     if (args->clientcert) {
173         TLS_CERT_REQ_SIMPLE_CLIENT(servercertreq, cacertreq,
174                                    args->hostileclient ?
175                                    QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME :
176                                    QCRYPTO_TLS_TEST_CLIENT_NAME,
177                                    data->clientcert);
178         test_tls_deinit_cert(&servercertreq);
179     }
180 
181     TLS_CERT_REQ_SIMPLE_SERVER(clientcertreq, cacertreq,
182                                data->servercert,
183                                args->certhostname,
184                                args->certipaddr);
185     test_tls_deinit_cert(&clientcertreq);
186     test_tls_deinit_cert(&cacertreq);
187 
188     qtest_qmp_assert_success(from,
189                              "{ 'execute': 'object-add',"
190                              "  'arguments': { 'qom-type': 'tls-creds-x509',"
191                              "                 'id': 'tlscredsx509client0',"
192                              "                 'endpoint': 'client',"
193                              "                 'dir': %s,"
194                              "                 'sanity-check': true,"
195                              "                 'verify-peer': true} }",
196                              data->workdir);
197     migrate_set_parameter_str(from, "tls-creds", "tlscredsx509client0");
198     if (args->certhostname) {
199         migrate_set_parameter_str(from, "tls-hostname", args->certhostname);
200     }
201 
202     qtest_qmp_assert_success(to,
203                              "{ 'execute': 'object-add',"
204                              "  'arguments': { 'qom-type': 'tls-creds-x509',"
205                              "                 'id': 'tlscredsx509server0',"
206                              "                 'endpoint': 'server',"
207                              "                 'dir': %s,"
208                              "                 'sanity-check': true,"
209                              "                 'verify-peer': %i} }",
210                              data->workdir, args->verifyclient);
211     migrate_set_parameter_str(to, "tls-creds", "tlscredsx509server0");
212 
213     if (args->authzclient) {
214         qtest_qmp_assert_success(to,
215                                  "{ 'execute': 'object-add',"
216                                  "  'arguments': { 'qom-type': 'authz-simple',"
217                                  "                 'id': 'tlsauthz0',"
218                                  "                 'identity': %s} }",
219                                  "CN=" QCRYPTO_TLS_TEST_CLIENT_NAME);
220         migrate_set_parameter_str(to, "tls-authz", "tlsauthz0");
221     }
222 
223     return data;
224 }
225 
226 /*
227  * The normal case: match server's cert hostname against
228  * whatever host we were telling QEMU to connect to (if any)
229  */
230 static void *
231 migrate_hook_start_tls_x509_default_host(QTestState *from,
232                                          QTestState *to)
233 {
234     TestMigrateTLSX509 args = {
235         .verifyclient = true,
236         .clientcert = true,
237         .certipaddr = "127.0.0.1"
238     };
239     return migrate_hook_start_tls_x509_common(from, to, &args);
240 }
241 
242 /*
243  * The unusual case: the server's cert is different from
244  * the address we're telling QEMU to connect to (if any),
245  * so we must give QEMU an explicit hostname to validate
246  */
247 static void *
248 migrate_hook_start_tls_x509_override_host(QTestState *from,
249                                           QTestState *to)
250 {
251     TestMigrateTLSX509 args = {
252         .verifyclient = true,
253         .clientcert = true,
254         .certhostname = "qemu.org",
255     };
256     return migrate_hook_start_tls_x509_common(from, to, &args);
257 }
258 
259 /*
260  * The unusual case: the server's cert is different from
261  * the address we're telling QEMU to connect to, and so we
262  * expect the client to reject the server
263  */
264 static void *
265 migrate_hook_start_tls_x509_mismatch_host(QTestState *from,
266                                           QTestState *to)
267 {
268     TestMigrateTLSX509 args = {
269         .verifyclient = true,
270         .clientcert = true,
271         .certipaddr = "10.0.0.1",
272     };
273     return migrate_hook_start_tls_x509_common(from, to, &args);
274 }
275 
276 static void *
277 migrate_hook_start_tls_x509_friendly_client(QTestState *from,
278                                             QTestState *to)
279 {
280     TestMigrateTLSX509 args = {
281         .verifyclient = true,
282         .clientcert = true,
283         .authzclient = true,
284         .certipaddr = "127.0.0.1",
285     };
286     return migrate_hook_start_tls_x509_common(from, to, &args);
287 }
288 
289 static void *
290 migrate_hook_start_tls_x509_hostile_client(QTestState *from,
291                                            QTestState *to)
292 {
293     TestMigrateTLSX509 args = {
294         .verifyclient = true,
295         .clientcert = true,
296         .hostileclient = true,
297         .authzclient = true,
298         .certipaddr = "127.0.0.1",
299     };
300     return migrate_hook_start_tls_x509_common(from, to, &args);
301 }
302 
303 /*
304  * The case with no client certificate presented,
305  * and no server verification
306  */
307 static void *
308 migrate_hook_start_tls_x509_allow_anon_client(QTestState *from,
309                                               QTestState *to)
310 {
311     TestMigrateTLSX509 args = {
312         .certipaddr = "127.0.0.1",
313     };
314     return migrate_hook_start_tls_x509_common(from, to, &args);
315 }
316 
317 /*
318  * The case with no client certificate presented,
319  * and server verification rejecting
320  */
321 static void *
322 migrate_hook_start_tls_x509_reject_anon_client(QTestState *from,
323                                                QTestState *to)
324 {
325     TestMigrateTLSX509 args = {
326         .verifyclient = true,
327         .certipaddr = "127.0.0.1",
328     };
329     return migrate_hook_start_tls_x509_common(from, to, &args);
330 }
331 
332 static void
333 migrate_hook_end_tls_x509(QTestState *from,
334                           QTestState *to,
335                           void *opaque)
336 {
337     TestMigrateTLSX509Data *data = opaque;
338 
339     test_tls_cleanup(data->keyfile);
340     g_free(data->keyfile);
341 
342     unlink(data->cacert);
343     g_free(data->cacert);
344     unlink(data->servercert);
345     g_free(data->servercert);
346     unlink(data->serverkey);
347     g_free(data->serverkey);
348 
349     if (data->clientcert) {
350         unlink(data->clientcert);
351         g_free(data->clientcert);
352     }
353     if (data->clientkey) {
354         unlink(data->clientkey);
355         g_free(data->clientkey);
356     }
357 
358     rmdir(data->workdir);
359     g_free(data->workdir);
360 
361     g_free(data);
362 }
363 #endif /* CONFIG_TASN1 */
364 
365 static void test_postcopy_tls_psk(void)
366 {
367     MigrateCommon args = {
368         .start_hook = migrate_hook_start_tls_psk_match,
369         .end_hook = migrate_hook_end_tls_psk,
370     };
371 
372     test_postcopy_common(&args);
373 }
374 
375 static void test_postcopy_preempt_tls_psk(void)
376 {
377     MigrateCommon args = {
378         .start_hook = migrate_hook_start_tls_psk_match,
379         .end_hook = migrate_hook_end_tls_psk,
380         .start = {
381             .caps[MIGRATION_CAPABILITY_POSTCOPY_PREEMPT] = true,
382         },
383     };
384 
385     test_postcopy_common(&args);
386 }
387 
388 static void test_postcopy_recovery_tls_psk(void)
389 {
390     MigrateCommon args = {
391         .start_hook = migrate_hook_start_tls_psk_match,
392         .end_hook = migrate_hook_end_tls_psk,
393     };
394 
395     test_postcopy_recovery_common(&args);
396 }
397 
398 /* This contains preempt+recovery+tls test altogether */
399 static void test_postcopy_preempt_all(void)
400 {
401     MigrateCommon args = {
402         .start_hook = migrate_hook_start_tls_psk_match,
403         .end_hook = migrate_hook_end_tls_psk,
404         .start = {
405             .caps[MIGRATION_CAPABILITY_POSTCOPY_PREEMPT] = true,
406         },
407     };
408 
409     test_postcopy_recovery_common(&args);
410 }
411 
412 static void test_precopy_unix_tls_psk(void)
413 {
414     g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
415     MigrateCommon args = {
416         .connect_uri = uri,
417         .listen_uri = uri,
418         .start_hook = migrate_hook_start_tls_psk_match,
419         .end_hook = migrate_hook_end_tls_psk,
420     };
421 
422     test_precopy_common(&args);
423 }
424 
425 #ifdef CONFIG_TASN1
426 static void test_precopy_unix_tls_x509_default_host(void)
427 {
428     g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
429     MigrateCommon args = {
430         .start = {
431             .hide_stderr = true,
432         },
433         .connect_uri = uri,
434         .listen_uri = uri,
435         .start_hook = migrate_hook_start_tls_x509_default_host,
436         .end_hook = migrate_hook_end_tls_x509,
437         .result = MIG_TEST_FAIL_DEST_QUIT_ERR,
438     };
439 
440     test_precopy_common(&args);
441 }
442 
443 static void test_precopy_unix_tls_x509_override_host(void)
444 {
445     g_autofree char *uri = g_strdup_printf("unix:%s/migsocket", tmpfs);
446     MigrateCommon args = {
447         .connect_uri = uri,
448         .listen_uri = uri,
449         .start_hook = migrate_hook_start_tls_x509_override_host,
450         .end_hook = migrate_hook_end_tls_x509,
451     };
452 
453     test_precopy_common(&args);
454 }
455 #endif /* CONFIG_TASN1 */
456 
457 static void test_precopy_tcp_tls_psk_match(void)
458 {
459     MigrateCommon args = {
460         .listen_uri = "tcp:127.0.0.1:0",
461         .start_hook = migrate_hook_start_tls_psk_match,
462         .end_hook = migrate_hook_end_tls_psk,
463     };
464 
465     test_precopy_common(&args);
466 }
467 
468 static void test_precopy_tcp_tls_psk_mismatch(void)
469 {
470     MigrateCommon args = {
471         .start = {
472             .hide_stderr = true,
473         },
474         .listen_uri = "tcp:127.0.0.1:0",
475         .start_hook = migrate_hook_start_tls_psk_mismatch,
476         .end_hook = migrate_hook_end_tls_psk,
477         .result = MIG_TEST_FAIL,
478     };
479 
480     test_precopy_common(&args);
481 }
482 
483 #ifdef CONFIG_TASN1
484 static void test_precopy_tcp_tls_x509_default_host(void)
485 {
486     MigrateCommon args = {
487         .listen_uri = "tcp:127.0.0.1:0",
488         .start_hook = migrate_hook_start_tls_x509_default_host,
489         .end_hook = migrate_hook_end_tls_x509,
490     };
491 
492     test_precopy_common(&args);
493 }
494 
495 static void test_precopy_tcp_tls_x509_override_host(void)
496 {
497     MigrateCommon args = {
498         .listen_uri = "tcp:127.0.0.1:0",
499         .start_hook = migrate_hook_start_tls_x509_override_host,
500         .end_hook = migrate_hook_end_tls_x509,
501     };
502 
503     test_precopy_common(&args);
504 }
505 
506 static void test_precopy_tcp_tls_x509_mismatch_host(void)
507 {
508     MigrateCommon args = {
509         .start = {
510             .hide_stderr = true,
511         },
512         .listen_uri = "tcp:127.0.0.1:0",
513         .start_hook = migrate_hook_start_tls_x509_mismatch_host,
514         .end_hook = migrate_hook_end_tls_x509,
515         .result = MIG_TEST_FAIL_DEST_QUIT_ERR,
516     };
517 
518     test_precopy_common(&args);
519 }
520 
521 static void test_precopy_tcp_tls_x509_friendly_client(void)
522 {
523     MigrateCommon args = {
524         .listen_uri = "tcp:127.0.0.1:0",
525         .start_hook = migrate_hook_start_tls_x509_friendly_client,
526         .end_hook = migrate_hook_end_tls_x509,
527     };
528 
529     test_precopy_common(&args);
530 }
531 
532 static void test_precopy_tcp_tls_x509_hostile_client(void)
533 {
534     MigrateCommon args = {
535         .start = {
536             .hide_stderr = true,
537         },
538         .listen_uri = "tcp:127.0.0.1:0",
539         .start_hook = migrate_hook_start_tls_x509_hostile_client,
540         .end_hook = migrate_hook_end_tls_x509,
541         .result = MIG_TEST_FAIL,
542     };
543 
544     test_precopy_common(&args);
545 }
546 
547 static void test_precopy_tcp_tls_x509_allow_anon_client(void)
548 {
549     MigrateCommon args = {
550         .listen_uri = "tcp:127.0.0.1:0",
551         .start_hook = migrate_hook_start_tls_x509_allow_anon_client,
552         .end_hook = migrate_hook_end_tls_x509,
553     };
554 
555     test_precopy_common(&args);
556 }
557 
558 static void test_precopy_tcp_tls_x509_reject_anon_client(void)
559 {
560     MigrateCommon args = {
561         .start = {
562             .hide_stderr = true,
563         },
564         .listen_uri = "tcp:127.0.0.1:0",
565         .start_hook = migrate_hook_start_tls_x509_reject_anon_client,
566         .end_hook = migrate_hook_end_tls_x509,
567         .result = MIG_TEST_FAIL,
568     };
569 
570     test_precopy_common(&args);
571 }
572 #endif /* CONFIG_TASN1 */
573 
574 static void *
575 migrate_hook_start_multifd_tcp_tls_psk_match(QTestState *from,
576                                              QTestState *to)
577 {
578     migrate_hook_start_precopy_tcp_multifd_common(from, to, "none");
579     return migrate_hook_start_tls_psk_match(from, to);
580 }
581 
582 static void *
583 migrate_hook_start_multifd_tcp_tls_psk_mismatch(QTestState *from,
584                                                 QTestState *to)
585 {
586     migrate_hook_start_precopy_tcp_multifd_common(from, to, "none");
587     return migrate_hook_start_tls_psk_mismatch(from, to);
588 }
589 
590 #ifdef CONFIG_TASN1
591 static void *
592 migrate_hook_start_multifd_tls_x509_default_host(QTestState *from,
593                                                  QTestState *to)
594 {
595     migrate_hook_start_precopy_tcp_multifd_common(from, to, "none");
596     return migrate_hook_start_tls_x509_default_host(from, to);
597 }
598 
599 static void *
600 migrate_hook_start_multifd_tls_x509_override_host(QTestState *from,
601                                                   QTestState *to)
602 {
603     migrate_hook_start_precopy_tcp_multifd_common(from, to, "none");
604     return migrate_hook_start_tls_x509_override_host(from, to);
605 }
606 
607 static void *
608 migrate_hook_start_multifd_tls_x509_mismatch_host(QTestState *from,
609                                                   QTestState *to)
610 {
611     migrate_hook_start_precopy_tcp_multifd_common(from, to, "none");
612     return migrate_hook_start_tls_x509_mismatch_host(from, to);
613 }
614 
615 static void *
616 migrate_hook_start_multifd_tls_x509_allow_anon_client(QTestState *from,
617                                                       QTestState *to)
618 {
619     migrate_hook_start_precopy_tcp_multifd_common(from, to, "none");
620     return migrate_hook_start_tls_x509_allow_anon_client(from, to);
621 }
622 
623 static void *
624 migrate_hook_start_multifd_tls_x509_reject_anon_client(QTestState *from,
625                                                        QTestState *to)
626 {
627     migrate_hook_start_precopy_tcp_multifd_common(from, to, "none");
628     return migrate_hook_start_tls_x509_reject_anon_client(from, to);
629 }
630 #endif /* CONFIG_TASN1 */
631 
632 static void test_multifd_tcp_tls_psk_match(void)
633 {
634     MigrateCommon args = {
635         .listen_uri = "defer",
636         .start_hook = migrate_hook_start_multifd_tcp_tls_psk_match,
637         .end_hook = migrate_hook_end_tls_psk,
638         .start = {
639             .caps[MIGRATION_CAPABILITY_MULTIFD] = true,
640         },
641     };
642     test_precopy_common(&args);
643 }
644 
645 static void test_multifd_tcp_tls_psk_mismatch(void)
646 {
647     MigrateCommon args = {
648         .start = {
649             .hide_stderr = true,
650             .caps[MIGRATION_CAPABILITY_MULTIFD] = true,
651         },
652         .listen_uri = "defer",
653         .start_hook = migrate_hook_start_multifd_tcp_tls_psk_mismatch,
654         .end_hook = migrate_hook_end_tls_psk,
655         .result = MIG_TEST_FAIL,
656     };
657     test_precopy_common(&args);
658 }
659 
660 #ifdef CONFIG_TASN1
661 static void test_multifd_tcp_tls_x509_default_host(void)
662 {
663     MigrateCommon args = {
664         .listen_uri = "defer",
665         .start_hook = migrate_hook_start_multifd_tls_x509_default_host,
666         .end_hook = migrate_hook_end_tls_x509,
667         .start = {
668             .caps[MIGRATION_CAPABILITY_MULTIFD] = true,
669         },
670     };
671     test_precopy_common(&args);
672 }
673 
674 static void test_multifd_tcp_tls_x509_override_host(void)
675 {
676     MigrateCommon args = {
677         .listen_uri = "defer",
678         .start_hook = migrate_hook_start_multifd_tls_x509_override_host,
679         .end_hook = migrate_hook_end_tls_x509,
680         .start = {
681             .caps[MIGRATION_CAPABILITY_MULTIFD] = true,
682         },
683     };
684     test_precopy_common(&args);
685 }
686 
687 static void test_multifd_tcp_tls_x509_mismatch_host(void)
688 {
689     /*
690      * This has different behaviour to the non-multifd case.
691      *
692      * In non-multifd case when client aborts due to mismatched
693      * cert host, the server has already started trying to load
694      * migration state, and so it exits with I/O failure.
695      *
696      * In multifd case when client aborts due to mismatched
697      * cert host, the server is still waiting for the other
698      * multifd connections to arrive so hasn't started trying
699      * to load migration state, and thus just aborts the migration
700      * without exiting.
701      */
702     MigrateCommon args = {
703         .start = {
704             .hide_stderr = true,
705             .caps[MIGRATION_CAPABILITY_MULTIFD] = true,
706         },
707         .listen_uri = "defer",
708         .start_hook = migrate_hook_start_multifd_tls_x509_mismatch_host,
709         .end_hook = migrate_hook_end_tls_x509,
710         .result = MIG_TEST_FAIL,
711     };
712     test_precopy_common(&args);
713 }
714 
715 static void test_multifd_tcp_tls_x509_allow_anon_client(void)
716 {
717     MigrateCommon args = {
718         .listen_uri = "defer",
719         .start_hook = migrate_hook_start_multifd_tls_x509_allow_anon_client,
720         .end_hook = migrate_hook_end_tls_x509,
721         .start = {
722             .caps[MIGRATION_CAPABILITY_MULTIFD] = true,
723         },
724     };
725     test_precopy_common(&args);
726 }
727 
728 static void test_multifd_tcp_tls_x509_reject_anon_client(void)
729 {
730     MigrateCommon args = {
731         .start = {
732             .hide_stderr = true,
733             .caps[MIGRATION_CAPABILITY_MULTIFD] = true,
734         },
735         .listen_uri = "defer",
736         .start_hook = migrate_hook_start_multifd_tls_x509_reject_anon_client,
737         .end_hook = migrate_hook_end_tls_x509,
738         .result = MIG_TEST_FAIL,
739     };
740     test_precopy_common(&args);
741 }
742 #endif /* CONFIG_TASN1 */
743 
744 static void migration_test_add_tls_smoke(MigrationTestEnv *env)
745 {
746     migration_test_add("/migration/precopy/tcp/tls/psk/match",
747                        test_precopy_tcp_tls_psk_match);
748 }
749 
750 void migration_test_add_tls(MigrationTestEnv *env)
751 {
752     tmpfs = env->tmpfs;
753 
754     migration_test_add_tls_smoke(env);
755 
756     if (!env->full_set) {
757         return;
758     }
759 
760     migration_test_add("/migration/precopy/unix/tls/psk",
761                        test_precopy_unix_tls_psk);
762 
763     if (env->has_uffd) {
764         /*
765          * NOTE: psk test is enough for postcopy, as other types of TLS
766          * channels are tested under precopy.  Here what we want to test is the
767          * general postcopy path that has TLS channel enabled.
768          */
769         migration_test_add("/migration/postcopy/tls/psk",
770                            test_postcopy_tls_psk);
771         migration_test_add("/migration/postcopy/recovery/tls/psk",
772                            test_postcopy_recovery_tls_psk);
773         migration_test_add("/migration/postcopy/preempt/tls/psk",
774                            test_postcopy_preempt_tls_psk);
775         migration_test_add("/migration/postcopy/preempt/recovery/tls/psk",
776                            test_postcopy_preempt_all);
777     }
778 #ifdef CONFIG_TASN1
779     migration_test_add("/migration/precopy/unix/tls/x509/default-host",
780                        test_precopy_unix_tls_x509_default_host);
781     migration_test_add("/migration/precopy/unix/tls/x509/override-host",
782                        test_precopy_unix_tls_x509_override_host);
783 #endif /* CONFIG_TASN1 */
784 
785     migration_test_add("/migration/precopy/tcp/tls/psk/mismatch",
786                        test_precopy_tcp_tls_psk_mismatch);
787 #ifdef CONFIG_TASN1
788     migration_test_add("/migration/precopy/tcp/tls/x509/default-host",
789                        test_precopy_tcp_tls_x509_default_host);
790     migration_test_add("/migration/precopy/tcp/tls/x509/override-host",
791                        test_precopy_tcp_tls_x509_override_host);
792     migration_test_add("/migration/precopy/tcp/tls/x509/mismatch-host",
793                        test_precopy_tcp_tls_x509_mismatch_host);
794     migration_test_add("/migration/precopy/tcp/tls/x509/friendly-client",
795                        test_precopy_tcp_tls_x509_friendly_client);
796     migration_test_add("/migration/precopy/tcp/tls/x509/hostile-client",
797                        test_precopy_tcp_tls_x509_hostile_client);
798     migration_test_add("/migration/precopy/tcp/tls/x509/allow-anon-client",
799                        test_precopy_tcp_tls_x509_allow_anon_client);
800     migration_test_add("/migration/precopy/tcp/tls/x509/reject-anon-client",
801                        test_precopy_tcp_tls_x509_reject_anon_client);
802 #endif /* CONFIG_TASN1 */
803 
804     migration_test_add("/migration/multifd/tcp/tls/psk/match",
805                        test_multifd_tcp_tls_psk_match);
806     migration_test_add("/migration/multifd/tcp/tls/psk/mismatch",
807                        test_multifd_tcp_tls_psk_mismatch);
808 #ifdef CONFIG_TASN1
809     migration_test_add("/migration/multifd/tcp/tls/x509/default-host",
810                        test_multifd_tcp_tls_x509_default_host);
811     migration_test_add("/migration/multifd/tcp/tls/x509/override-host",
812                        test_multifd_tcp_tls_x509_override_host);
813     migration_test_add("/migration/multifd/tcp/tls/x509/mismatch-host",
814                        test_multifd_tcp_tls_x509_mismatch_host);
815     migration_test_add("/migration/multifd/tcp/tls/x509/allow-anon-client",
816                        test_multifd_tcp_tls_x509_allow_anon_client);
817     migration_test_add("/migration/multifd/tcp/tls/x509/reject-anon-client",
818                        test_multifd_tcp_tls_x509_reject_anon_client);
819 #endif /* CONFIG_TASN1 */
820 }
821