On 03/10/2025 17.39, Peter Xu wrote:
QCryptoTLSSession allows TLS premature termination in two cases, one of the
case is when the channel shutdown() is invoked on READ side.
Hi Peter,
this patch break iotest 233 for me:
thuth:~/tmp/qemu-build$ cd tests/qemu-iotests/
thuth:~/tmp/qemu-build/tests/qemu-iotests$ ./check 233
QEMU -- "/home/thuth/tmp/qemu-build/qemu-system-x86_64" -nodefaults
-display none -accel qtest
QEMU_IMG -- "/home/thuth/tmp/qemu-build/qemu-img"
QEMU_IO -- "/home/thuth/tmp/qemu-build/qemu-io" --cache writeback
--aio threads -f raw
QEMU_NBD -- "/home/thuth/tmp/qemu-build/qemu-nbd"
IMGFMT -- raw
IMGPROTO -- file
PLATFORM -- Linux/x86_64 thuth-p1g4 6.16.10-200.fc42.x86_64
TEST_DIR -- /home/thuth/tmp/qemu-build/tests/qemu-iotests/scratch
SOCK_DIR -- /tmp/qemu-iotests-eidif2rs
GDB_OPTIONS --
VALGRIND_QEMU --
PRINT_QEMU_OUTPUT --
233 fail [09:58:28] [09:58:30] 2.5s (last: 2.0s) output
mismatch (see
/home/thuth/tmp/qemu-build/tests/qemu-iotests/scratch/raw-file-233/233.out.bad)
--- /home/thuth/devel/qemu/tests/qemu-iotests/233.out
+++
/home/thuth/tmp/qemu-build/tests/qemu-iotests/scratch/raw-file-233/233.out.bad
@@ -43,51 +43,37 @@
== check TLS fail over TCP with mismatched hostname ==
qemu-img: Could not open
'driver=nbd,host=localhost,port=PORT,tls-creds=tls0': Certificate does not
match the hostname localhost
-qemu-nbd: Certificate does not match the hostname localhost
+qemu-nbd: Failed to read initial magic: Unable to read from socket:
Connection reset by peer
== check TLS works over TCP with mismatched hostname and override ==
-image: nbd://localhost:PORT
-file format: nbd
-virtual size: 64 MiB (67108864 bytes)
-disk size: unavailable
-exports available: 1
- export: ''
- size: 67108864
- min block: 1
- transaction size: 64-bit
+qemu-img: Could not open
'driver=nbd,host=localhost,port=PORT,tls-creds=tls0,tls-hostname=127.0.0.1':
Failed to connect to 'localhost:PORT': Connection refused
+qemu-nbd: Failed to connect to 'localhost:10809': Connection refused
== check TLS with different CA fails ==
-qemu-img: Could not open
'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': The certificate hasn't
got a known issuer
-qemu-nbd: The certificate hasn't got a known issuer
+qemu-img: Could not open
'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to connect to
'127.0.0.1:PORT': Connection refused
+qemu-nbd: Failed to connect to '127.0.0.1:10809': Connection refused
== perform I/O over TLS ==
-read 1048576/1048576 bytes at offset 1048576
-1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-wrote 1048576/1048576 bytes at offset 1048576
-1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qemu-io: can't open: Failed to connect to '127.0.0.1:10809': Connection refused
+Pattern verification failed at offset 1048576, 1048576 bytes
read 1048576/1048576 bytes at offset 1048576
1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== check TLS with authorization ==
-qemu-img: Could not open
'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option
reply: Cannot read from TLS channel: The TLS connection was non-properly
terminated.
-qemu-img: Could not open
'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option
reply: Cannot read from TLS channel: The TLS connection was non-properly
terminated.
+./common.nbd: line 38: kill: (545045) - No such process
+./common.rc: line 208: 545147 Segmentation fault (core dumped) (
VALGRIND_QEMU="${VALGRIND_QEMU_IMG}" _qemu_proc_exec "${VALGRIND_LOGFILE}"
"$QEMU_IMG_PROG" $QEMU_IMG_OPTIONS "$@" )
+./common.rc: line 208: 545163 Segmentation fault (core dumped) (
VALGRIND_QEMU="${VALGRIND_QEMU_IMG}" _qemu_proc_exec "${VALGRIND_LOGFILE}"
"$QEMU_IMG_PROG" $QEMU_IMG_OPTIONS "$@" )
== check TLS fail over UNIX with no hostname ==
qemu-img: Could not open
'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0': No hostname for
certificate validation
-qemu-nbd: No hostname for certificate validation
+qemu-nbd: Failed to read initial magic: Unable to read from socket:
Connection reset by peer
== check TLS works over UNIX with hostname override ==
-image: nbd+unix://?socket=SOCK_DIR/qemu-nbd.sock
-file format: nbd
-virtual size: 64 MiB (67108864 bytes)
-disk size: unavailable
-exports available: 1
- export: ''
- size: 67108864
- min block: 1
- transaction size: 64-bit
+qemu-img: Could not open
'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0,tls-hostname=127.0.0.1':
Failed to connect to
'/tmp/qemu-iotests-eidif2rs/raw-file-233/qemu-nbd.sock': Connection refused
+qemu-nbd: Failed to connect to
'/tmp/qemu-iotests-eidif2rs/raw-file-233/qemu-nbd.sock': Connection refused
== check TLS works over UNIX with PSK ==
+./common.nbd: line 38: kill: (545184) - No such process
image: nbd+unix://?socket=SOCK_DIR/qemu-nbd.sock
file format: nbd
virtual size: 64 MiB (67108864 bytes)
@@ -103,14 +89,8 @@
qemu-nbd: TLS handshake failed: The TLS connection was non-properly
terminated.
== final server log ==
-qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: The TLS connection was non-properly terminated.
-qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: The TLS connection was non-properly terminated.
-qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
-qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
qemu-nbd: option negotiation failed: TLS x509 authz check for
DISTINGUISHED-NAME is denied
qemu-nbd: option negotiation failed: TLS x509 authz check for
DISTINGUISHED-NAME is denied
-qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: The TLS connection was non-properly terminated.
-qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read
from TLS channel: The TLS connection was non-properly terminated.
qemu-nbd: option negotiation failed: TLS handshake failed: An illegal
parameter has been received.
qemu-nbd: option negotiation failed: TLS handshake failed: An illegal
parameter has been received.
*** done
Failures: 233
Failed 1 of 1 iotests
Could you please have a look?
Thanks,
Thomas
