Test both the TLS enabled and fallback paths. nbd-server doesn't appear to support TLS at all, and qemu-nbd is known not to allow fallback to unencrypted, and therefore it only makes sense to test nbdkit at the moment. --- .gitignore | 4 ++++ TODO | 3 --- interop/Makefile.am | 54 +++++++++++++++++++++++++++++++++++++++++++++ interop/interop.c | 30 ++++++++++++++++++++----- 4 files changed, 82 insertions(+), 9 deletions(-)
diff --git a/.gitignore b/.gitignore index ab47370..dd8a052 100644 --- a/.gitignore +++ b/.gitignore @@ -62,7 +62,11 @@ Makefile.in /interop/dirty-bitmap /interop/interop-nbdkit /interop/interop-nbdkit-tls-certs +/interop/interop-nbdkit-tls-certs-allow-enabled +/interop/interop-nbdkit-tls-certs-allow-fallback /interop/interop-nbdkit-tls-psk +/interop/interop-nbdkit-tls-psk-allow-enabled +/interop/interop-nbdkit-tls-psk-allow-fallback /interop/interop-nbd-server /interop/interop-qemu-nbd /interop/interop-qemu-nbd-tls-certs diff --git a/TODO b/TODO index 21feb2f..642d39f 100644 --- a/TODO +++ b/TODO @@ -17,9 +17,6 @@ NBD_INFO_BLOCK_SIZE. TLS should properly shut down the session (calling gnutls_bye). -LIBNBD_TLS_ALLOW is not tested. Related to this, -nbd_get_tls_negotiated is not tested. - Implement nbd_connect + systemd socket activation. Improve function trace output so that: diff --git a/interop/Makefile.am b/interop/Makefile.am index 8a5b787..43350a8 100644 --- a/interop/Makefile.am +++ b/interop/Makefile.am @@ -145,17 +145,25 @@ if HAVE_GNUTLS if HAVE_CERTTOOL check_PROGRAMS += \ interop-nbdkit-tls-certs \ + interop-nbdkit-tls-certs-allow-enabled \ + interop-nbdkit-tls-certs-allow-fallback \ $(NULL) TESTS += \ interop-nbdkit-tls-certs \ + interop-nbdkit-tls-certs-allow-enabled \ + interop-nbdkit-tls-certs-allow-fallback \ $(NULL) endif if HAVE_PSKTOOL check_PROGRAMS += \ interop-nbdkit-tls-psk \ + interop-nbdkit-tls-psk-allow-enabled \ + interop-nbdkit-tls-psk-allow-fallback \ $(NULL) TESTS += \ interop-nbdkit-tls-psk \ + interop-nbdkit-tls-psk-allow-enabled \ + interop-nbdkit-tls-psk-allow-fallback \ $(NULL) endif endif @@ -180,6 +188,29 @@ interop_nbdkit_tls_certs_CPPFLAGS = \ interop_nbdkit_tls_certs_CFLAGS = $(WARNINGS_CFLAGS) interop_nbdkit_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la +interop_nbdkit_tls_certs_allow_enabled_SOURCES = interop.c +interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \ + -I$(top_srcdir)/include \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", tmpfile' \ + -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + $(NULL) +interop_nbdkit_tls_certs_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS) +interop_nbdkit_tls_certs_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la + +interop_nbdkit_tls_certs_allow_fallback_SOURCES = interop.c +interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \ + -I$(top_srcdir)/include \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \ + -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + -DTLS_FALLBACK=1 \ + $(NULL) +interop_nbdkit_tls_certs_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS) +interop_nbdkit_tls_certs_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la + interop_nbdkit_tls_psk_SOURCES = interop.c interop_nbdkit_tls_psk_CPPFLAGS = \ -I$(top_srcdir)/include \ @@ -191,6 +222,29 @@ interop_nbdkit_tls_psk_CPPFLAGS = \ interop_nbdkit_tls_psk_CFLAGS = $(WARNINGS_CFLAGS) interop_nbdkit_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la +interop_nbdkit_tls_psk_allow_enabled_SOURCES = interop.c +interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \ + -I$(top_srcdir)/include \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", tmpfile' \ + -DPSK=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + $(NULL) +interop_nbdkit_tls_psk_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS) +interop_nbdkit_tls_psk_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la + +interop_nbdkit_tls_psk_allow_fallback_SOURCES = interop.c +interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \ + -I$(top_srcdir)/include \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \ + -DPSK=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + -DTLS_FALLBACK=1 \ + $(NULL) +interop_nbdkit_tls_psk_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS) +interop_nbdkit_tls_psk_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la + endif HAVE_NBDKIT check-valgrind: diff --git a/interop/interop.c b/interop/interop.c index 2772721..3d916f2 100644 --- a/interop/interop.c +++ b/interop/interop.c @@ -147,12 +147,30 @@ main (int argc, char *argv[]) #endif #if TLS - if (TLS_MODE == LIBNBD_TLS_REQUIRE && - nbd_get_tls_negotiated (nbd) != 1) { - fprintf (stderr, - "%s: TLS required, but not negotiated on the connection\n", - argv[0]); - goto out; + if (TLS_MODE == LIBNBD_TLS_REQUIRE) { + if (nbd_get_tls_negotiated (nbd) != 1) { + fprintf (stderr, + "%s: TLS required, but not negotiated on the connection\n", + argv[0]); + goto out; + } + } + else if (TLS_MODE == LIBNBD_TLS_ALLOW) { +#if TLS_FALLBACK + if (nbd_get_tls_negotiated (nbd) != 0) { + fprintf (stderr, + "%s: TLS disabled, but connection didn't fall back to plaintext\n", + argv[0]); + goto out; + } +#else // !TLS_FALLBACK + if (nbd_get_tls_negotiated (nbd) != 1) { + fprintf (stderr, + "%s: TLS required, but not negotiated on the connection\n", + argv[0]); + goto out; + } +#endif } #endif -- 2.23.0 _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs