[Libguestfs] [PATCH libnbd 4/5] interop: Add -DTLS_MODE to the test.
Eric Blake
eblake at redhat.com
Wed Sep 18 12:41:52 UTC 2019
On 9/17/19 5:35 PM, Richard W.M. Jones wrote:
> This neutral refactoring adds -DTLS_MODE. We can in future change the
> requested TLS mode, but not in this commit.
>
> It also checks that nbd_get_tls_negotiated returns true after
> connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE.
> ---
> interop/Makefile.am | 4 ++++
> interop/interop.c | 26 ++++++++++++++++++++------
> 2 files changed, 24 insertions(+), 6 deletions(-)
> +#if CERTS || PSK
> +#define TLS 1
> +#ifndef TLS_MODE
> +#error "TLS_MODE must be defined when using CERTS || PSK"
> +#endif
> +#endif
> +
> int
> main (int argc, char *argv[])
> {
> @@ -73,15 +80,12 @@ main (int argc, char *argv[])
> }
> #endif
>
> -#if CERTS || PSK
> - /* Require TLS on the handle and fail if not available or if the
> - * handshake fails.
> - */
> +#if TLS
> if (nbd_supports_tls (nbd) != 1) {
> fprintf (stderr, "skip: compiled without TLS support\n");
> exit (77);
> }
This skips the test if we are compiled without TLS support, even if
TLS_ALLOW was requested. What behavior do we really want there? Is
TLS_ALLOW unconditionally falling back to plaintext okay, or do we only
want to permit TLS_ALLOW if TLS support is at least plausible?
Otherwise, the series is fine.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20190918/3eee20ae/attachment.sig>
More information about the Libguestfs
mailing list