[Libguestfs] [PATCH libnbd 5/5] interop: Add tests of nbdkit + LIBNBD_TLS_ALLOW.

Richard W.M. Jones rjones at redhat.com
Tue Sep 17 22:35:34 UTC 2019 

Test both the TLS enabled and fallback paths.

nbd-server doesn't appear to support TLS at all, and qemu-nbd is known
not to allow fallback to unencrypted, and therefore it only makes
sense to test nbdkit at the moment.
---
 .gitignore          |  4 ++++
 TODO                |  3 ---
 interop/Makefile.am | 54 +++++++++++++++++++++++++++++++++++++++++++++
 interop/interop.c   | 30 ++++++++++++++++++++-----
 4 files changed, 82 insertions(+), 9 deletions(-)

diff --git a/.gitignore b/.gitignore
index ab47370..dd8a052 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,7 +62,11 @@ Makefile.in
 /interop/dirty-bitmap
 /interop/interop-nbdkit
 /interop/interop-nbdkit-tls-certs
+/interop/interop-nbdkit-tls-certs-allow-enabled
+/interop/interop-nbdkit-tls-certs-allow-fallback
 /interop/interop-nbdkit-tls-psk
+/interop/interop-nbdkit-tls-psk-allow-enabled
+/interop/interop-nbdkit-tls-psk-allow-fallback
 /interop/interop-nbd-server
 /interop/interop-qemu-nbd
 /interop/interop-qemu-nbd-tls-certs
diff --git a/TODO b/TODO
index 21feb2f..642d39f 100644
--- a/TODO
+++ b/TODO
@@ -17,9 +17,6 @@ NBD_INFO_BLOCK_SIZE.
 
 TLS should properly shut down the session (calling gnutls_bye).
 
-LIBNBD_TLS_ALLOW is not tested.  Related to this,
-nbd_get_tls_negotiated is not tested.
-
 Implement nbd_connect + systemd socket activation.
 
 Improve function trace output so that:
diff --git a/interop/Makefile.am b/interop/Makefile.am
index 8a5b787..43350a8 100644
--- a/interop/Makefile.am
+++ b/interop/Makefile.am
@@ -145,17 +145,25 @@ if HAVE_GNUTLS
 if HAVE_CERTTOOL
 check_PROGRAMS += \
 	interop-nbdkit-tls-certs \
+	interop-nbdkit-tls-certs-allow-enabled \
+	interop-nbdkit-tls-certs-allow-fallback \
 	$(NULL)
 TESTS += \
 	interop-nbdkit-tls-certs \
+	interop-nbdkit-tls-certs-allow-enabled \
+	interop-nbdkit-tls-certs-allow-fallback \
 	$(NULL)
 endif
 if HAVE_PSKTOOL
 check_PROGRAMS += \
 	interop-nbdkit-tls-psk \
+	interop-nbdkit-tls-psk-allow-enabled \
+	interop-nbdkit-tls-psk-allow-fallback \
 	$(NULL)
 TESTS += \
 	interop-nbdkit-tls-psk \
+	interop-nbdkit-tls-psk-allow-enabled \
+	interop-nbdkit-tls-psk-allow-fallback \
 	$(NULL)
 endif
 endif
@@ -180,6 +188,29 @@ interop_nbdkit_tls_certs_CPPFLAGS = \
 interop_nbdkit_tls_certs_CFLAGS = $(WARNINGS_CFLAGS)
 interop_nbdkit_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la
 
+interop_nbdkit_tls_certs_allow_enabled_SOURCES = interop.c
+interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \
+	-I$(top_srcdir)/include \
+	-DSERVER=\"$(NBDKIT)\" \
+	-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", tmpfile' \
+	-DCERTS=1 \
+	-DTLS_MODE=LIBNBD_TLS_ALLOW \
+	$(NULL)
+interop_nbdkit_tls_certs_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_certs_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la
+
+interop_nbdkit_tls_certs_allow_fallback_SOURCES = interop.c
+interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \
+	-I$(top_srcdir)/include \
+	-DSERVER=\"$(NBDKIT)\" \
+	-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \
+	-DCERTS=1 \
+	-DTLS_MODE=LIBNBD_TLS_ALLOW \
+	-DTLS_FALLBACK=1 \
+	$(NULL)
+interop_nbdkit_tls_certs_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_certs_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la
+
 interop_nbdkit_tls_psk_SOURCES = interop.c
 interop_nbdkit_tls_psk_CPPFLAGS = \
 	-I$(top_srcdir)/include \
@@ -191,6 +222,29 @@ interop_nbdkit_tls_psk_CPPFLAGS = \
 interop_nbdkit_tls_psk_CFLAGS = $(WARNINGS_CFLAGS)
 interop_nbdkit_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la
 
+interop_nbdkit_tls_psk_allow_enabled_SOURCES = interop.c
+interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \
+	-I$(top_srcdir)/include \
+	-DSERVER=\"$(NBDKIT)\" \
+	-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", tmpfile' \
+	-DPSK=1 \
+	-DTLS_MODE=LIBNBD_TLS_ALLOW \
+	$(NULL)
+interop_nbdkit_tls_psk_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_psk_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la
+
+interop_nbdkit_tls_psk_allow_fallback_SOURCES = interop.c
+interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \
+	-I$(top_srcdir)/include \
+	-DSERVER=\"$(NBDKIT)\" \
+	-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \
+	-DPSK=1 \
+	-DTLS_MODE=LIBNBD_TLS_ALLOW \
+	-DTLS_FALLBACK=1 \
+	$(NULL)
+interop_nbdkit_tls_psk_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS)
+interop_nbdkit_tls_psk_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la
+
 endif HAVE_NBDKIT
 
 check-valgrind:
diff --git a/interop/interop.c b/interop/interop.c
index 2772721..3d916f2 100644
--- a/interop/interop.c
+++ b/interop/interop.c
@@ -147,12 +147,30 @@ main (int argc, char *argv[])
 #endif
 
 #if TLS
-  if (TLS_MODE == LIBNBD_TLS_REQUIRE &&
-      nbd_get_tls_negotiated (nbd) != 1) {
-    fprintf (stderr,
-             "%s: TLS required, but not negotiated on the connection\n",
-             argv[0]);
-    goto out;
+  if (TLS_MODE == LIBNBD_TLS_REQUIRE) {
+    if (nbd_get_tls_negotiated (nbd) != 1) {
+      fprintf (stderr,
+               "%s: TLS required, but not negotiated on the connection\n",
+               argv[0]);
+      goto out;
+    }
+  }
+  else if (TLS_MODE == LIBNBD_TLS_ALLOW) {
+#if TLS_FALLBACK
+    if (nbd_get_tls_negotiated (nbd) != 0) {
+      fprintf (stderr,
+               "%s: TLS disabled, but connection didn't fall back to plaintext\n",
+               argv[0]);
+      goto out;
+    }
+#else // !TLS_FALLBACK
+    if (nbd_get_tls_negotiated (nbd) != 1) {
+      fprintf (stderr,
+               "%s: TLS required, but not negotiated on the connection\n",
+               argv[0]);
+      goto out;
+    }
+#endif
   }
 #endif
 
-- 
2.23.0

More information about the Libguestfs mailing list