[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH libnbd 4/5] interop: Add -DTLS_MODE to the test.



On 9/17/19 5:35 PM, Richard W.M. Jones wrote:
> This neutral refactoring adds -DTLS_MODE.  We can in future change the
> requested TLS mode, but not in this commit.
> 
> It also checks that nbd_get_tls_negotiated returns true after
> connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE.
> ---
>  interop/Makefile.am |  4 ++++
>  interop/interop.c   | 26 ++++++++++++++++++++------
>  2 files changed, 24 insertions(+), 6 deletions(-)

> +#if CERTS || PSK
> +#define TLS 1
> +#ifndef TLS_MODE
> +#error "TLS_MODE must be defined when using CERTS || PSK"
> +#endif
> +#endif
> +
>  int
>  main (int argc, char *argv[])
>  {
> @@ -73,15 +80,12 @@ main (int argc, char *argv[])
>    }
>  #endif
>  
> -#if CERTS || PSK
> -  /* Require TLS on the handle and fail if not available or if the
> -   * handshake fails.
> -   */
> +#if TLS
>    if (nbd_supports_tls (nbd) != 1) {
>      fprintf (stderr, "skip: compiled without TLS support\n");
>      exit (77);
>    }

This skips the test if we are compiled without TLS support, even if
TLS_ALLOW was requested.  What behavior do we really want there?  Is
TLS_ALLOW unconditionally falling back to plaintext okay, or do we only
want to permit TLS_ALLOW if TLS support is at least plausible?

Otherwise, the series is fine.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]