Test both the TLS enabled and fallback paths.
nbd-server doesn't appear to support TLS at all, and qemu-nbd is known
not to allow fallback to unencrypted, and therefore it only makes
sense to test nbdkit at the moment.
---
.gitignore | 4 ++++
TODO | 3 ---
interop/Makefile.am | 54 +++++++++++++++++++++++++++++++++++++++++++++
interop/interop.c | 30 ++++++++++++++++++++-----
4 files changed, 82 insertions(+), 9 deletions(-)
diff --git a/.gitignore b/.gitignore
index ab47370..dd8a052 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,7 +62,11 @@ Makefile.in
/interop/dirty-bitmap
/interop/interop-nbdkit
/interop/interop-nbdkit-tls-certs
+/interop/interop-nbdkit-tls-certs-allow-enabled
+/interop/interop-nbdkit-tls-certs-allow-fallback
/interop/interop-nbdkit-tls-psk
+/interop/interop-nbdkit-tls-psk-allow-enabled
+/interop/interop-nbdkit-tls-psk-allow-fallback
/interop/interop-nbd-server
/interop/interop-qemu-nbd
/interop/interop-qemu-nbd-tls-certs
diff --git a/TODO b/TODO
index 21feb2f..642d39f 100644
--- a/TODO
+++ b/TODO
@@ -17,9 +17,6 @@ NBD_INFO_BLOCK_SIZE.
TLS should properly shut down the session (calling gnutls_bye).
-LIBNBD_TLS_ALLOW is not tested. Related to this,
-nbd_get_tls_negotiated is not tested.
-
Implement nbd_connect + systemd socket activation.
Improve function trace output so that:
diff --git a/interop/Makefile.am b/interop/Makefile.am
index 8a5b787..43350a8 100644
--- a/interop/Makefile.am
+++ b/interop/Makefile.am
@@ -145,17 +145,25 @@ if HAVE_GNUTLS
if HAVE_CERTTOOL
check_PROGRAMS += \
interop-nbdkit-tls-certs \
+ interop-nbdkit-tls-certs-allow-enabled \
+ interop-nbdkit-tls-certs-allow-fallback \
$(NULL)
TESTS += \
interop-nbdkit-tls-certs \
+ interop-nbdkit-tls-certs-allow-enabled \
+ interop-nbdkit-tls-certs-allow-fallback \
$(NULL)
endif
if HAVE_PSKTOOL
check_PROGRAMS += \
interop-nbdkit-tls-psk \
+ interop-nbdkit-tls-psk-allow-enabled \
+ interop-nbdkit-tls-psk-allow-fallback \
$(NULL)
TESTS += \
interop-nbdkit-tls-psk \
+ interop-nbdkit-tls-psk-allow-enabled \
+ interop-nbdkit-tls-psk-allow-fallback \
$(NULL)
endif
endif
@@ -180,6 +188,29 @@ interop_nbdkit_tls_certs_CPPFLAGS = \
interop_nbdkit_tls_certs_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la
+interop_nbdkit_tls_certs_allow_enabled_SOURCES = interop.c
+interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \
+ -I$(top_srcdir)/include \
+ -DSERVER=\"$(NBDKIT)\" \
+ -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki",
"-s", "--exit-with-parent", "file", tmpfile' \
+ -DCERTS=1 \
+ -DTLS_MODE=LIBNBD_TLS_ALLOW \
+ $(NULL)
+interop_nbdkit_tls_certs_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_certs_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la
+
+interop_nbdkit_tls_certs_allow_fallback_SOURCES = interop.c
+interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \
+ -I$(top_srcdir)/include \
+ -DSERVER=\"$(NBDKIT)\" \
+ -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file",
tmpfile' \
+ -DCERTS=1 \
+ -DTLS_MODE=LIBNBD_TLS_ALLOW \
+ -DTLS_FALLBACK=1 \
+ $(NULL)
+interop_nbdkit_tls_certs_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_certs_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la
+
interop_nbdkit_tls_psk_SOURCES = interop.c
interop_nbdkit_tls_psk_CPPFLAGS = \
-I$(top_srcdir)/include \
@@ -191,6 +222,29 @@ interop_nbdkit_tls_psk_CPPFLAGS = \
interop_nbdkit_tls_psk_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la
+interop_nbdkit_tls_psk_allow_enabled_SOURCES = interop.c
+interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \
+ -I$(top_srcdir)/include \
+ -DSERVER=\"$(NBDKIT)\" \
+ -DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s",
"--exit-with-parent", "file", tmpfile' \
+ -DPSK=1 \
+ -DTLS_MODE=LIBNBD_TLS_ALLOW \
+ $(NULL)
+interop_nbdkit_tls_psk_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_psk_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la
+
+interop_nbdkit_tls_psk_allow_fallback_SOURCES = interop.c
+interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \
+ -I$(top_srcdir)/include \
+ -DSERVER=\"$(NBDKIT)\" \
+ -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file",
tmpfile' \
+ -DPSK=1 \
+ -DTLS_MODE=LIBNBD_TLS_ALLOW \
+ -DTLS_FALLBACK=1 \
+ $(NULL)
+interop_nbdkit_tls_psk_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_psk_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la
+
endif HAVE_NBDKIT
check-valgrind:
diff --git a/interop/interop.c b/interop/interop.c
index 2772721..3d916f2 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -147,12 +147,30 @@ main (int argc, char *argv[])
#endif
#if TLS
- if (TLS_MODE == LIBNBD_TLS_REQUIRE &&
- nbd_get_tls_negotiated (nbd) != 1) {
- fprintf (stderr,
- "%s: TLS required, but not negotiated on the connection\n",
- argv[0]);
- goto out;
+ if (TLS_MODE == LIBNBD_TLS_REQUIRE) {
+ if (nbd_get_tls_negotiated (nbd) != 1) {
+ fprintf (stderr,
+ "%s: TLS required, but not negotiated on the connection\n",
+ argv[0]);
+ goto out;
+ }
+ }
+ else if (TLS_MODE == LIBNBD_TLS_ALLOW) {
+#if TLS_FALLBACK
+ if (nbd_get_tls_negotiated (nbd) != 0) {
+ fprintf (stderr,
+ "%s: TLS disabled, but connection didn't fall back to
plaintext\n",
+ argv[0]);
+ goto out;
+ }
+#else // !TLS_FALLBACK
+ if (nbd_get_tls_negotiated (nbd) != 1) {
+ fprintf (stderr,
+ "%s: TLS required, but not negotiated on the connection\n",
+ argv[0]);
+ goto out;
+ }
+#endif
}
#endif
--
2.23.0
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs
