From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 16463241806461017.6553031276192; Thu, 3 Mar 2022 08:16:20 -0800 (PST) Received: from localhost ([::1]:47054 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPo7n-0001Js-Ab for importer@patchew.org; Thu, 03 Mar 2022 11:16:19 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59720) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnw4-00073Y-4q for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:13 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:50403) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnw1-00076S-2z for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:11 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-411-ERwZDtKCNWG0vUr6ZrgM2A-1; Thu, 03 Mar 2022 11:04:03 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5E1261854E21; Thu, 3 Mar 2022 16:04:02 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id B83A5106D5A7; Thu, 3 Mar 2022 16:03:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323446; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tvHFBbRTmwVPlF5r2fbx7Pmn4LhPvDqieoQ/2PM/D40=; b=FQmHR6EmSoJRzyE4j0IqB9FoBlJs99ap5iNd1bjwxILvY9Rax6cb1cii6Wa8QKXwOvWDNl QgIlz+Y7m9MjASAP+3qYiqi9umTkZ8EQ6PYajatbTsnXU2bsyfNVImAnb9GWWtcf1ReaCQ +7LUbwFCQ7jO72jK5HUQdhe1sKl/H6k= X-MC-Unique: ERwZDtKCNWG0vUr6ZrgM2A-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 01/12] crypto: mandate a hostname when checking x509 creds on a client Date: Thu, 3 Mar 2022 16:03:19 +0000 Message-Id: <20220303160330.2979753-2-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324182365100001 Currently the TLS session object assumes that the caller will always provide a hostname when using x509 creds on a client endpoint. This relies on the caller to detect and report an error if the user has configured QEMU with x509 credentials on a UNIX socket. The migration code has such a check, but it is too broad, reporting an error when the user has configured QEMU with PSK credentials on a UNIX socket, where hostnames are irrelevant. Putting the check into the TLS session object credentials validation code ensures we report errors in only the scenario that matters. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- crypto/tlssession.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crypto/tlssession.c b/crypto/tlssession.c index a8db8c76d1..b302d835d2 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -373,6 +373,12 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSessio= n *session, session->hostname); goto error; } + } else { + if (session->creds->endpoint =3D=3D + QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) { + error_setg(errp, "No hostname for certificate validati= on"); + goto error; + } } } =20 --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324455202561.4204555747941; Thu, 3 Mar 2022 08:20:55 -0800 (PST) Received: from localhost ([::1]:35168 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoCE-0003sx-3w for importer@patchew.org; Thu, 03 Mar 2022 11:20:54 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59876) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwN-0007qp-Fr for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:32 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:30064) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwL-00079G-BE for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:31 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-325-pzxBNoBMOSmPr6GFK7ArZw-1; Thu, 03 Mar 2022 11:04:20 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 74996805EE5; Thu, 3 Mar 2022 16:04:19 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id CEF2E106D5A7; Thu, 3 Mar 2022 16:04:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323468; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/N+Ds48i8jOUgRR6mTNzUEz5+C14BuQMBwZNWiVMON0=; b=OmxcLkFtQvEwARB6+uAnx1zPEk6UngCx9xFQFZxvYDfdEc72aXnn2SYUb2lfPvVsmBPv+c ynF76fHBDl0VxhfYuC3JRiFRKhPm1e8vkdGlbei6WobaucbtC0fdFjxTYFo/V/IMAWENcP NJEvoM+LAycoE6MzHouOKpZmYWQzWrI= X-MC-Unique: pzxBNoBMOSmPr6GFK7ArZw-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 02/12] block: pass desired TLS hostname through from block driver client Date: Thu, 3 Mar 2022 16:03:20 +0000 Message-Id: <20220303160330.2979753-3-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324456212100001 In commit a71d597b989fd701b923f09b3c20ac4fcaa55e81 Author: Vladimir Sementsov-Ogievskiy Date: Thu Jun 10 13:08:00 2021 +0300 block/nbd: reuse nbd_co_do_establish_connection() in nbd_open() the use of the 'hostname' field from the BDRVNBDState struct was lost, and 'nbd_connect' just hardcoded it to match the IP socket address. This was a harmless bug at the time since we block use with anything other than IP sockets. Shortly though, We want to allow the caller to override the hostname used in the TLS certificate checks. This is to allow for TLS when doing port forwarding or tunneling. Thus we need to reinstate the passing along of the 'hostname'. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- block/nbd.c | 7 ++++--- include/block/nbd.h | 3 ++- nbd/client-connection.c | 12 +++++++++--- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/block/nbd.c b/block/nbd.c index 5853d85d60..dd43929207 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -92,7 +92,7 @@ typedef struct BDRVNBDState { SocketAddress *saddr; char *export, *tlscredsid; QCryptoTLSCreds *tlscreds; - const char *hostname; + const char *tlshostname; char *x_dirty_bitmap; bool alloc_depth; =20 @@ -1835,7 +1835,7 @@ static int nbd_process_options(BlockDriverState *bs, = QDict *options, error_setg(errp, "TLS only supported over IP sockets"); goto error; } - s->hostname =3D s->saddr->u.inet.host; + s->tlshostname =3D s->saddr->u.inet.host; } =20 s->x_dirty_bitmap =3D g_strdup(qemu_opt_get(opts, "x-dirty-bitmap")); @@ -1875,7 +1875,8 @@ static int nbd_open(BlockDriverState *bs, QDict *opti= ons, int flags, } =20 s->conn =3D nbd_client_connection_new(s->saddr, true, s->export, - s->x_dirty_bitmap, s->tlscreds); + s->x_dirty_bitmap, s->tlscreds, + s->tlshostname); =20 if (s->open_timeout) { nbd_client_connection_enable_retry(s->conn); diff --git a/include/block/nbd.h b/include/block/nbd.h index 78d101b774..a98eb665da 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -415,7 +415,8 @@ NBDClientConnection *nbd_client_connection_new(const So= cketAddress *saddr, bool do_negotiation, const char *export_name, const char *x_dirty_bitmap, - QCryptoTLSCreds *tlscreds); + QCryptoTLSCreds *tlscreds, + const char *tlshostname); void nbd_client_connection_release(NBDClientConnection *conn); =20 QIOChannel *coroutine_fn diff --git a/nbd/client-connection.c b/nbd/client-connection.c index 2bda42641d..2a632931c3 100644 --- a/nbd/client-connection.c +++ b/nbd/client-connection.c @@ -33,6 +33,7 @@ struct NBDClientConnection { /* Initialization constants, never change */ SocketAddress *saddr; /* address to connect to */ QCryptoTLSCreds *tlscreds; + char *tlshostname; NBDExportInfo initial_info; bool do_negotiation; bool do_retry; @@ -77,7 +78,8 @@ NBDClientConnection *nbd_client_connection_new(const Sock= etAddress *saddr, bool do_negotiation, const char *export_name, const char *x_dirty_bitmap, - QCryptoTLSCreds *tlscreds) + QCryptoTLSCreds *tlscreds, + const char *tlshostname) { NBDClientConnection *conn =3D g_new(NBDClientConnection, 1); =20 @@ -85,6 +87,7 @@ NBDClientConnection *nbd_client_connection_new(const Sock= etAddress *saddr, *conn =3D (NBDClientConnection) { .saddr =3D QAPI_CLONE(SocketAddress, saddr), .tlscreds =3D tlscreds, + .tlshostname =3D g_strdup(tlshostname), .do_negotiation =3D do_negotiation, =20 .initial_info.request_sizes =3D true, @@ -107,6 +110,7 @@ static void nbd_client_connection_do_free(NBDClientConn= ection *conn) } error_free(conn->err); qapi_free_SocketAddress(conn->saddr); + g_free(conn->tlshostname); object_unref(OBJECT(conn->tlscreds)); g_free(conn->initial_info.x_dirty_bitmap); g_free(conn->initial_info.name); @@ -120,6 +124,7 @@ static void nbd_client_connection_do_free(NBDClientConn= ection *conn) */ static int nbd_connect(QIOChannelSocket *sioc, SocketAddress *addr, NBDExportInfo *info, QCryptoTLSCreds *tlscreds, + const char *tlshostname, QIOChannel **outioc, Error **errp) { int ret; @@ -140,7 +145,7 @@ static int nbd_connect(QIOChannelSocket *sioc, SocketAd= dress *addr, } =20 ret =3D nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), tlscreds, - tlscreds ? addr->u.inet.host : NULL, + tlshostname, outioc, info, errp); if (ret < 0) { /* @@ -183,7 +188,8 @@ static void *connect_thread_func(void *opaque) =20 ret =3D nbd_connect(conn->sioc, conn->saddr, conn->do_negotiation ? &conn->updated_info : NUL= L, - conn->tlscreds, &conn->ioc, &local_err); + conn->tlscreds, conn->tlshostname, + &conn->ioc, &local_err); =20 /* * conn->updated_info will finally be returned to the user. Clear = the --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 164632432057956.34506860650333; Thu, 3 Mar 2022 08:18:40 -0800 (PST) Received: from localhost ([::1]:55536 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoA2-00074z-UQ for importer@patchew.org; Thu, 03 Mar 2022 11:18:38 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59856) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwM-0007ng-El for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:30 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:57276) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwJ-000791-VD for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:30 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-382-IKJBn3K1P0uQeFbhbFxCrg-1; Thu, 03 Mar 2022 11:04:23 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F37421091DA0; Thu, 3 Mar 2022 16:04:21 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id D0249106D5A7; Thu, 3 Mar 2022 16:04:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323467; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=p0ltbwDkzNCd5ygKmbkLH5iWRJG7bSqyMlG+iy4ITOQ=; b=ZQ2FSXAWCNMOtIgQq4yhzcSe928k+SnAYL2hJHwN7OLnCmFWTTD2nsfT41ZxmUw/i7DxEY qYxkPbuQV+FNb7Z0T6j21SmEcdcbJAAZhw7bGaprI1Q1nsZ0xTF1iEtJwPl/ZYrghlO+KQ BdSi3y3TaqEn86e/EvHKr+1QzxKHFxk= X-MC-Unique: IKJBn3K1P0uQeFbhbFxCrg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 03/12] block/nbd: support override of hostname for TLS certificate validation Date: Thu, 3 Mar 2022 16:03:21 +0000 Message-Id: <20220303160330.2979753-4-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324321100100001 When connecting to an NBD server with TLS and x509 credentials, the client must validate the hostname it uses for the connection, against that published in the server's certificate. If the client is tunnelling its connection over some other channel, however, the hostname it uses may not match the info reported in the server's certificate. In such a case, the user needs to explicitly set an override for the hostname to use for certificate validation. This is achieved by adding a 'tls-hostname' property to the NBD block driver. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- block/nbd.c | 18 +++++++++++++++--- qapi/block-core.json | 3 +++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/block/nbd.c b/block/nbd.c index dd43929207..113aa5d3af 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -90,9 +90,10 @@ typedef struct BDRVNBDState { uint32_t reconnect_delay; uint32_t open_timeout; SocketAddress *saddr; - char *export, *tlscredsid; + char *export; + char *tlscredsid; QCryptoTLSCreds *tlscreds; - const char *tlshostname; + char *tlshostname; char *x_dirty_bitmap; bool alloc_depth; =20 @@ -121,6 +122,8 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs) s->export =3D NULL; g_free(s->tlscredsid); s->tlscredsid =3D NULL; + g_free(s->tlshostname); + s->tlshostname =3D NULL; g_free(s->x_dirty_bitmap); s->x_dirty_bitmap =3D NULL; } @@ -1764,6 +1767,11 @@ static QemuOptsList nbd_runtime_opts =3D { .type =3D QEMU_OPT_STRING, .help =3D "ID of the TLS credentials to use", }, + { + .name =3D "tls-hostname", + .type =3D QEMU_OPT_STRING, + .help =3D "Override hostname for validating TLS x509 certifica= te", + }, { .name =3D "x-dirty-bitmap", .type =3D QEMU_OPT_STRING, @@ -1835,7 +1843,10 @@ static int nbd_process_options(BlockDriverState *bs,= QDict *options, error_setg(errp, "TLS only supported over IP sockets"); goto error; } - s->tlshostname =3D s->saddr->u.inet.host; + s->tlshostname =3D g_strdup(qemu_opt_get(opts, "tls-hostname")); + if (!s->tlshostname) { + s->tlshostname =3D g_strdup(s->saddr->u.inet.host); + } } =20 s->x_dirty_bitmap =3D g_strdup(qemu_opt_get(opts, "x-dirty-bitmap")); @@ -2037,6 +2048,7 @@ static const char *const nbd_strong_runtime_opts[] = =3D { "port", "export", "tls-creds", + "tls-hostname", "server.", =20 NULL diff --git a/qapi/block-core.json b/qapi/block-core.json index 9a5a3641d0..c1b0435f57 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -4078,6 +4078,8 @@ # # @tls-creds: TLS credentials ID # +# @tls-hostname: TLS hostname override for certificate validation +# # @x-dirty-bitmap: A metadata context name such as "qemu:dirty-bitmap:NAME" # or "qemu:allocation-depth" to query in place of the # traditional "base:allocation" block status (see @@ -4108,6 +4110,7 @@ 'data': { 'server': 'SocketAddress', '*export': 'str', '*tls-creds': 'str', + '*tls-hostname': 'str', '*x-dirty-bitmap': { 'type': 'str', 'features': [ 'unstable' ]= }, '*reconnect-delay': 'uint32', '*open-timeout': 'uint32' } } --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324472113322.0865460417733; Thu, 3 Mar 2022 08:21:12 -0800 (PST) Received: from localhost ([::1]:35602 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoCU-0004C6-WF for importer@patchew.org; Thu, 03 Mar 2022 11:21:11 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59872) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwN-0007q0-3L for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:31 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:60114) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwL-00079B-6b for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:30 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-167-j8WSsj9CMEiq4JYA5sG6NA-1; Thu, 03 Mar 2022 11:04:26 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C60591800D50; Thu, 3 Mar 2022 16:04:24 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id 793EE1006876; Thu, 3 Mar 2022 16:04:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323468; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pdVVmvftP6FV3iQgeJG4LYGn4amLcK6FrEo34dA86ak=; b=Q6UBAPV1bSbWPR01WS2tfNjRZvn1vafQAe/1R9rXq9P+DylHBJ8HclYmAgpNVrLcwUbqA+ rBs8XKGnLS3w+m42AI8OFh80MKUfS1BljPMo+8nQz5wcblr893u1i11b3QlqGLRM0/RC9F Sy1g0YEZu23uN4pI3WMwpMyudXppRjo= X-MC-Unique: j8WSsj9CMEiq4JYA5sG6NA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 04/12] qemu-nbd: add --tls-hostname option for TLS certificate validation Date: Thu, 3 Mar 2022 16:03:22 +0000 Message-Id: <20220303160330.2979753-5-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324474321100001 When using the --list option, qemu-nbd acts as an NBD client rather than a server. As such when using TLS, it has a need to validate the server certificate. This adds a --tls-hostname option which can be used to override the default hostname used for certificate validation. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- docs/tools/qemu-nbd.rst | 14 ++++++++++++++ qemu-nbd.c | 17 ++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/tools/qemu-nbd.rst b/docs/tools/qemu-nbd.rst index 6031f96893..acce54a39d 100644 --- a/docs/tools/qemu-nbd.rst +++ b/docs/tools/qemu-nbd.rst @@ -169,6 +169,20 @@ driver options if ``--image-opts`` is specified. option; or provide the credentials needed for connecting as a client in list mode. =20 +.. option:: --tls-hostname=3Dhostname + + When validating an x509 certificate received over a TLS connection, + the hostname that the NBD client used to connect will be checked + against information in the server provided certificate. Sometimes + it might be required to override the hostname used to perform this + check. For example if the NBD client is using a tunnel from localhost + to connect to the remote server. In this case the `--tls-hostname` + option should be used to set the officially expected hostname of + the remote NBD server. This can also be used if accessing NBD over + a UNIX socket where there is no inherant hostname available. This + only is only permitted when acting as a NBD client with the `--list` + option. + .. option:: --fork =20 Fork off the server process and exit the parent once the server is runni= ng. diff --git a/qemu-nbd.c b/qemu-nbd.c index c6c20df68a..be8043fb00 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -69,6 +69,7 @@ #define QEMU_NBD_OPT_TLSAUTHZ 264 #define QEMU_NBD_OPT_PID_FILE 265 #define QEMU_NBD_OPT_SELINUX_LABEL 266 +#define QEMU_NBD_OPT_TLSHOSTNAME 267 =20 #define MBR_SIZE 512 =20 @@ -542,6 +543,7 @@ int main(int argc, char **argv) { "export-name", required_argument, NULL, 'x' }, { "description", required_argument, NULL, 'D' }, { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS }, + { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAM= E }, { "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, @@ -568,6 +570,7 @@ int main(int argc, char **argv) strList *bitmaps =3D NULL; bool alloc_depth =3D false; const char *tlscredsid =3D NULL; + const char *tlshostname =3D NULL; bool imageOpts =3D false; bool writethrough =3D false; /* Client will flush as needed. */ bool fork_process =3D false; @@ -747,6 +750,9 @@ int main(int argc, char **argv) case QEMU_NBD_OPT_TLSCREDS: tlscredsid =3D optarg; break; + case QEMU_NBD_OPT_TLSHOSTNAME: + tlshostname =3D optarg; + break; case QEMU_NBD_OPT_IMAGE_OPTS: imageOpts =3D true; break; @@ -835,6 +841,10 @@ int main(int argc, char **argv) error_report("TLS authorization is incompatible with export li= st"); exit(EXIT_FAILURE); } + if (tlshostname && !list) { + error_report("TLS hostname is only required with export list"); + exit(EXIT_FAILURE); + } tlscreds =3D nbd_get_tls_creds(tlscredsid, list, &local_err); if (local_err) { error_reportf_err(local_err, "Failed to get TLS creds: "); @@ -845,6 +855,10 @@ int main(int argc, char **argv) error_report("--tls-authz is not permitted without --tls-creds= "); exit(EXIT_FAILURE); } + if (tlshostname) { + error_report("--tls-hostname is not permitted without --tls-cr= eds"); + exit(EXIT_FAILURE); + } } =20 if (selinux_label) { @@ -861,7 +875,8 @@ int main(int argc, char **argv) =20 if (list) { saddr =3D nbd_build_socket_address(sockpath, bindto, port); - return qemu_nbd_client_list(saddr, tlscreds, bindto); + return qemu_nbd_client_list(saddr, tlscreds, + tlshostname ? tlshostname : bindto); } =20 #if !HAVE_NBD_DEVICE --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324577364232.80056161288667; Thu, 3 Mar 2022 08:22:57 -0800 (PST) Received: from localhost ([::1]:43712 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoEC-0001KA-9Y for importer@patchew.org; Thu, 03 Mar 2022 11:22:56 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59912) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwS-00081c-CI for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:37 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:45374) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwQ-0007AF-2l for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:35 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-199-xcBb5490MaukV8-Vb8SVKQ-1; Thu, 03 Mar 2022 11:04:29 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 480441854E21; Thu, 3 Mar 2022 16:04:28 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id 40792106D5D8; Thu, 3 Mar 2022 16:04:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323473; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AcskesZLfXg8BmQrE0LWTZzP/RlFj45RCozA79w/UjQ=; b=RTb+fh7ybSBQP1uFLm2gfmpLRhJXFboSkXbGYHgSiEDQaw6+voUenEw1Ab90m7U5uZV7WE INfyzvthv8X3lmPktBtkSQJv5/t8+x4GXZoMRTL+jNoR2//4bNaTjuWN8MgC4QgOqUQVRq jqk8Y0tb0MBeckP4Hr64ZFkdNeRAWg0= X-MC-Unique: xcBb5490MaukV8-Vb8SVKQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 05/12] block/nbd: don't restrict TLS usage to IP sockets Date: Thu, 3 Mar 2022 16:03:23 +0000 Message-Id: <20220303160330.2979753-6-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324578725100003 The TLS usage for NBD was restricted to IP sockets because validating x509 certificates requires knowledge of the hostname that the client is connecting to. TLS does not have to use x509 certificates though, as PSK (pre-shared keys) provide an alternative credential option. These have no requirement for a hostname and can thus be trivially used for UNIX sockets. Furthermore, with the ability to overide the default hostname for TLS validation in the previous patch, it is now also valid to want to use x509 certificates with FD passing and UNIX sockets. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- block/nbd.c | 8 ++------ blockdev-nbd.c | 6 ------ qemu-nbd.c | 8 +++----- 3 files changed, 5 insertions(+), 17 deletions(-) diff --git a/block/nbd.c b/block/nbd.c index 113aa5d3af..3ede47dec9 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -1838,13 +1838,9 @@ static int nbd_process_options(BlockDriverState *bs,= QDict *options, goto error; } =20 - /* TODO SOCKET_ADDRESS_KIND_FD where fd has AF_INET or AF_INET6 */ - if (s->saddr->type !=3D SOCKET_ADDRESS_TYPE_INET) { - error_setg(errp, "TLS only supported over IP sockets"); - goto error; - } s->tlshostname =3D g_strdup(qemu_opt_get(opts, "tls-hostname")); - if (!s->tlshostname) { + if (!s->tlshostname && + s->saddr->type =3D=3D SOCKET_ADDRESS_TYPE_INET) { s->tlshostname =3D g_strdup(s->saddr->u.inet.host); } } diff --git a/blockdev-nbd.c b/blockdev-nbd.c index bdfa7ed3a5..9840d25a82 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -148,12 +148,6 @@ void nbd_server_start(SocketAddress *addr, const char = *tls_creds, if (!nbd_server->tlscreds) { goto error; } - - /* TODO SOCKET_ADDRESS_TYPE_FD where fd has AF_INET or AF_INET6 */ - if (addr->type !=3D SOCKET_ADDRESS_TYPE_INET) { - error_setg(errp, "TLS is only supported with IPv4/IPv6"); - goto error; - } } =20 nbd_server->tlsauthz =3D g_strdup(tls_authz); diff --git a/qemu-nbd.c b/qemu-nbd.c index be8043fb00..f4c5b247de 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -808,7 +808,9 @@ int main(int argc, char **argv) =20 socket_activation =3D check_socket_activation(); if (socket_activation =3D=3D 0) { - setup_address_and_port(&bindto, &port); + if (!sockpath) { + setup_address_and_port(&bindto, &port); + } } else { /* Using socket activation - check user didn't use -p etc. */ const char *err_msg =3D socket_activation_validate_opts(device, so= ckpath, @@ -829,10 +831,6 @@ int main(int argc, char **argv) } =20 if (tlscredsid) { - if (sockpath) { - error_report("TLS is only supported with IPv4/IPv6"); - exit(EXIT_FAILURE); - } if (device) { error_report("TLS is not supported with a host device"); exit(EXIT_FAILURE); --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324596904321.5485385271787; Thu, 3 Mar 2022 08:23:16 -0800 (PST) Received: from localhost ([::1]:44694 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoEV-0001yZ-LL for importer@patchew.org; Thu, 03 Mar 2022 11:23:15 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59952) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwU-00084z-3b for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:38 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:34029) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwS-0007AY-4n for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:37 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-186-gINZBoacO8ObKdJXUUc0IA-1; Thu, 03 Mar 2022 11:04:31 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 83DDE805EE5; Thu, 3 Mar 2022 16:04:30 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9713D106D5C7; Thu, 3 Mar 2022 16:04:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323474; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D8J0mthUEQCPDKSa9jZm+pjdNNkoUMqD7hFIjZXwVCg=; b=exPl1/rSXrhBoRlpvTC0dpQZuNFsczWXoV7W9BpKObG5ywkV6FTgF1hxVXgT8uaAIp9BLR J66RizL7rONJUzTlS5LxQz0MVnNccbdY9FpurD7jxLXEzez5DOoTIHbZngNXQQecZ3iqg9 14nZDlyND52pgdbbf27DOF2J7P3KJYY= X-MC-Unique: gINZBoacO8ObKdJXUUc0IA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 06/12] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file Date: Thu, 3 Mar 2022 16:03:24 +0000 Message-Id: <20220303160330.2979753-7-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324599165100003 When developing an I/O test it is typical to add some logic to the test script, run it to view the output diff, and then apply the output diff to the reference file. This can be drastically simplified by letting the test runner update the reference file in place. By setting 'QEMU_IOTESTS_REGEN=3D1', the test runner will report the failure and show the diff, but at the same time update the reference file. So next time the I/O test is run it will succeed. Continuing to display the diff when updating the reference gives the developer a chance to review what was changed. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- tests/qemu-iotests/testrunner.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/qemu-iotests/testrunner.py b/tests/qemu-iotests/testrunn= er.py index 9a94273975..8a82696a6b 100644 --- a/tests/qemu-iotests/testrunner.py +++ b/tests/qemu-iotests/testrunner.py @@ -25,6 +25,7 @@ import contextlib import json import termios +import shutil import sys from multiprocessing import Pool from contextlib import contextmanager @@ -320,6 +321,11 @@ def do_run_test(self, test: str, mp: bool) -> TestResu= lt: =20 diff =3D file_diff(str(f_reference), str(f_bad)) if diff: + if os.environ.get("QEMU_IOTESTS_REGEN", None) is not None: + shutil.copyfile(str(f_bad), str(f_reference)) + print("########################################") + print("##### REFERENCE FILE UPDATED #####") + print("########################################") return TestResult(status=3D'fail', elapsed=3Delapsed, description=3Df'output mismatch (see {f_bad}= )', diff=3Ddiff, casenotrun=3Dcasenotrun) --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 164632424744788.83463491848136; Thu, 3 Mar 2022 08:17:27 -0800 (PST) Received: from localhost ([::1]:51074 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPo8s-00046G-MV for importer@patchew.org; Thu, 03 Mar 2022 11:17:26 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59986) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwV-00089h-Bt for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:39 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:42077) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwT-0007An-AW for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:39 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-19-MCAQre1BPhSFlDuJlAvf0w-1; Thu, 03 Mar 2022 11:04:33 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AEA3B835DE0; Thu, 3 Mar 2022 16:04:32 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id D22D41064166; Thu, 3 Mar 2022 16:04:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323476; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7ovVg1MZ+RzCYowUo+BhHB5HYi2Iy3K/BoG2glvv2UE=; b=cBJH0cWGYzuWib1LhqbXoJ/T18LROqVnaZqQWcFLYfigpuYPrEx1EjStvHWdG2HmfvfdGx ENbiwwUc0cFXImcUE3WmT5mdedmA/08YotmSJlgvzqCLpUdfe0K+bD7xlK8jhPAVJrkomX KSAmPxyqbZvAZNKWccysNEVq3fIL1ac= X-MC-Unique: MCAQre1BPhSFlDuJlAvf0w-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 07/12] tests/qemu-iotests: expand _filter_nbd rules Date: Thu, 3 Mar 2022 16:03:25 +0000 Message-Id: <20220303160330.2979753-8-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324248006100003 Some tests will want to use 'localhost' instead of '127.0.0.1', and some will use the image options syntax rather than the classic URI syntax. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- tests/qemu-iotests/common.filter | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.f= ilter index 75cc241580..25d1d22929 100644 --- a/tests/qemu-iotests/common.filter +++ b/tests/qemu-iotests/common.filter @@ -300,6 +300,10 @@ _filter_nbd() # Filter out the TCP port number since this changes between runs. $SED -e '/nbd\/.*\.c:/d' \ -e 's#127\.0\.0\.1:[0-9]*#127.0.0.1:PORT#g' \ + -e 's#localhost:[0-9]*#localhost:PORT#g' \ + -e 's#host=3D127\.0\.0\.1,port=3D[0-9]*#host=3D127.0.0.1,port=3DPO= RT#g' \ + -e 's#host=3Dlocalhost,port=3D[0-9]*#host=3Dlocalhost,port=3DPORT#= g' \ + -e "s#path=3D$SOCK_DIR#path=3DSOCK_DIR#g" \ -e "s#?socket=3D$SOCK_DIR#?socket=3DSOCK_DIR#g" \ -e 's#\(foo\|PORT/\?\|.sock\): Failed to .*$#\1#' } --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324387624839.8849484065863; Thu, 3 Mar 2022 08:19:47 -0800 (PST) Received: from localhost ([::1]:60402 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoB8-0001uS-Ig for importer@patchew.org; Thu, 03 Mar 2022 11:19:46 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60026) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwX-0008Ep-LJ for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:42 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:60440) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwW-0007BS-3P for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:41 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-156-Nk8IyAc9OPW2wyp9Ai-nTA-1; Thu, 03 Mar 2022 11:04:36 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5F989501E3; Thu, 3 Mar 2022 16:04:35 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id 184A71006876; Thu, 3 Mar 2022 16:04:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323479; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OWv+Ya8kDTMPeWLKIvrepCejs68gzemWvc3RjnEd/0Y=; b=R+K+czsvcdwtFa3pZ3IUxqMmrYCflRum8yioMWaX55djvE/TDDKsb/YvH4f+qRH0xN0ZAF EivrJrYeVOxfPi0JzyYYYCrn1JZdY8GsWGe45goz4whsef8ZInmfvV2D1EbphRuKkv5bzf lVlOsldMDWiSF0jhun7ym+7eYtRwcDs= X-MC-Unique: Nk8IyAc9OPW2wyp9Ai-nTA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 08/12] tests/qemu-iotests: introduce filter for qemu-nbd export list Date: Thu, 3 Mar 2022 16:03:26 +0000 Message-Id: <20220303160330.2979753-9-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324389685100001 Introduce a filter for the output of qemu-nbd export list so it can be reused in multiple tests. The filter is a bit more permissive that what test 241 currently uses, as its allows printing of the export count, along with any possible error messages that might be emitted. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- tests/qemu-iotests/241 | 6 +++--- tests/qemu-iotests/241.out | 3 +++ tests/qemu-iotests/common.filter | 5 +++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/qemu-iotests/241 b/tests/qemu-iotests/241 index c962c8b607..f196650afa 100755 --- a/tests/qemu-iotests/241 +++ b/tests/qemu-iotests/241 @@ -58,7 +58,7 @@ echo =20 nbd_server_start_unix_socket -f $IMGFMT "$TEST_IMG_FILE" =20 -$QEMU_NBD_PROG --list -k $nbd_unix_socket | grep '\(size\|min\)' +$QEMU_NBD_PROG --list -k $nbd_unix_socket | _filter_qemu_nbd_exports $QEMU_IMG map -f raw --output=3Djson "$TEST_IMG" | _filter_qemu_img_map $QEMU_IO -f raw -c map "$TEST_IMG" nbd_server_stop @@ -71,7 +71,7 @@ echo # sector alignment, here at the server. nbd_server_start_unix_socket "$TEST_IMG_FILE" 2> "$TEST_DIR/server.log" =20 -$QEMU_NBD_PROG --list -k $nbd_unix_socket | grep '\(size\|min\)' +$QEMU_NBD_PROG --list -k $nbd_unix_socket | _filter_qemu_nbd_exports $QEMU_IMG map -f raw --output=3Djson "$TEST_IMG" | _filter_qemu_img_map $QEMU_IO -f raw -c map "$TEST_IMG" nbd_server_stop @@ -84,7 +84,7 @@ echo # Now force sector alignment at the client. nbd_server_start_unix_socket -f $IMGFMT "$TEST_IMG_FILE" =20 -$QEMU_NBD_PROG --list -k $nbd_unix_socket | grep '\(size\|min\)' +$QEMU_NBD_PROG --list -k $nbd_unix_socket | _filter_qemu_nbd_exports $QEMU_IMG map --output=3Djson "$TEST_IMG" | _filter_qemu_img_map $QEMU_IO -c map "$TEST_IMG" nbd_server_stop diff --git a/tests/qemu-iotests/241.out b/tests/qemu-iotests/241.out index 56e95b599a..db2d71ab9d 100644 --- a/tests/qemu-iotests/241.out +++ b/tests/qemu-iotests/241.out @@ -2,6 +2,7 @@ QA output created by 241 =20 =3D=3D=3D Exporting unaligned raw image, natural alignment =3D=3D=3D =20 +exports available: 1 size: 1024 min block: 1 [{ "start": 0, "length": 1000, "depth": 0, "present": true, "zero": false,= "data": true, "offset": OFFSET}, @@ -10,6 +11,7 @@ QA output created by 241 =20 =3D=3D=3D Exporting unaligned raw image, forced server sector alignment = =3D=3D=3D =20 +exports available: 1 size: 1024 min block: 512 [{ "start": 0, "length": 1024, "depth": 0, "present": true, "zero": false,= "data": true, "offset": OFFSET}] @@ -20,6 +22,7 @@ WARNING: Image format was not specified for 'TEST_DIR/t.r= aw' and probing guessed =20 =3D=3D=3D Exporting unaligned raw image, forced client sector alignment = =3D=3D=3D =20 +exports available: 1 size: 1024 min block: 1 [{ "start": 0, "length": 1000, "depth": 0, "present": true, "zero": false,= "data": true, "offset": OFFSET}, diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.f= ilter index 25d1d22929..940c9884bd 100644 --- a/tests/qemu-iotests/common.filter +++ b/tests/qemu-iotests/common.filter @@ -308,6 +308,11 @@ _filter_nbd() -e 's#\(foo\|PORT/\?\|.sock\): Failed to .*$#\1#' } =20 +_filter_qemu_nbd_exports() +{ + grep '\(exports available\|size\|min block\|qemu-nbd\):' +} + _filter_qmp_empty_return() { grep -v '{"return": {}}' --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324704841568.0706105076379; Thu, 3 Mar 2022 08:25:04 -0800 (PST) Received: from localhost ([::1]:51916 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoGF-00070y-LZ for importer@patchew.org; Thu, 03 Mar 2022 11:25:03 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60048) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwY-0008GX-Lc for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:42 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:22497) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwW-0007Bc-Tb for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:42 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-414-NqL0NpODNZGtyAulukAopw-1; Thu, 03 Mar 2022 11:04:39 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3E6F71854E26; Thu, 3 Mar 2022 16:04:38 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id DE47B106D5C3; Thu, 3 Mar 2022 16:04:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=904R/9e8qEcGCmHVJtfvJDiYMZ8hWJx+nQfDu+BeZMI=; b=Vj8eoy1JBa2TdDjFEUisbvPJzI56ihDhdRshG8eAh6Gu1oiyjGKNVhhYWtbsgcjMnhFisx lDOdEtaOlghm4jkaRQOLgJgZWQt8n61h2gaWQlI+vvPkXOyGXKmIZUX/55CVKQGuKZslOf PzYYy4PJM3iNWvLYANReEPTmkyCtEWo= X-MC-Unique: NqL0NpODNZGtyAulukAopw-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 09/12] tests/qemu-iotests: convert NBD TLS test to use standard filters Date: Thu, 3 Mar 2022 16:03:27 +0000 Message-Id: <20220303160330.2979753-10-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324705797100001 Using standard filters is more future proof than rolling our own. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- tests/qemu-iotests/233 | 29 ++++++++++++++++------------- tests/qemu-iotests/233.out | 9 --------- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 9ca7b68f42..050267298d 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -65,7 +65,7 @@ tls_x509_create_client "ca1" "client3" echo echo "=3D=3D preparing image =3D=3D" _make_test_img 64M -$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" | _filter_qemu_io +$QEMU_IO -c 'w -P 0x11 1m 1m' "$TEST_IMG" 2>&1 | _filter_qemu_io =20 echo echo "=3D=3D check TLS client to plain server fails =3D=3D" @@ -74,9 +74,9 @@ nbd_server_start_tcp_socket -f $IMGFMT "$TEST_IMG" 2> "$T= EST_DIR/server.log" obj=3Dtls-creds-x509,dir=3D${tls_dir}/client1,endpoint=3Dclient,id=3Dtls0 $QEMU_IMG info --image-opts --object $obj \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \ - --tls-creds=3Dtls0 + --tls-creds=3Dtls0 2>&1 | _filter_qemu_nbd_exports =20 nbd_server_stop =20 @@ -88,8 +88,10 @@ nbd_server_start_tcp_socket \ --tls-creds tls0 \ -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" =20 -$QEMU_IMG info nbd://localhost:$nbd_tcp_port 2>&1 | sed "s/$nbd_tcp_port/P= ORT/g" -$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port +$QEMU_IMG info nbd://localhost:$nbd_tcp_port \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port \ + 2>&1 | _filter_qemu_nbd_exports =20 echo echo "=3D=3D check TLS works =3D=3D" @@ -97,21 +99,21 @@ obj1=3Dtls-creds-x509,dir=3D${tls_dir}/client1,endpoint= =3Dclient,id=3Dtls0 obj2=3Dtls-creds-x509,dir=3D${tls_dir}/client3,endpoint=3Dclient,id=3Dtls0 $QEMU_IMG info --image-opts --object $obj1 \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_IMG info --image-opts --object $obj2 \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \ - --tls-creds=3Dtls0 + --tls-creds=3Dtls0 2>&1 | _filter_qemu_nbd_exports =20 echo echo "=3D=3D check TLS with different CA fails =3D=3D" obj=3Dtls-creds-x509,dir=3D${tls_dir}/client2,endpoint=3Dclient,id=3Dtls0 $QEMU_IMG info --image-opts --object $obj \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj \ - --tls-creds=3Dtls0 + --tls-creds=3Dtls0 2>&1 | _filter_qemu_nbd_exports =20 echo echo "=3D=3D perform I/O over TLS =3D=3D" @@ -121,7 +123,8 @@ $QEMU_IO -c 'r -P 0x11 1m 1m' -c 'w -P 0x22 1m 1m' --im= age-opts \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ 2>&1 | _filter_qemu_io =20 -$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" | _filter_qemu_= io +$QEMU_IO -f $IMGFMT -r -U -c 'r -P 0x22 1m 1m' "$TEST_IMG" \ + 2>&1 | _filter_qemu_io =20 echo echo "=3D=3D check TLS with authorization =3D=3D" @@ -139,12 +142,12 @@ nbd_server_start_tcp_socket \ $QEMU_IMG info --image-opts \ --object tls-creds-x509,dir=3D${tls_dir}/client1,endpoint=3Dclient,id= =3Dtls0 \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd =20 $QEMU_IMG info --image-opts \ --object tls-creds-x509,dir=3D${tls_dir}/client3,endpoint=3Dclient,id= =3Dtls0 \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ - 2>&1 | sed "s/$nbd_tcp_port/PORT/g" + 2>&1 | _filter_nbd =20 echo echo "=3D=3D final server log =3D=3D" diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index 4b1f6a0e15..a1e45765b8 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -17,15 +17,12 @@ wrote 1048576/1048576 bytes at offset 1048576 qemu-img: Could not open 'driver=3Dnbd,host=3D127.0.0.1,port=3DPORT,tls-cr= eds=3Dtls0': Denied by server for option 5 (starttls) server reported: TLS not configured qemu-nbd: Denied by server for option 5 (starttls) -server reported: TLS not configured =20 =3D=3D check plain client to TLS server fails =3D=3D qemu-img: Could not open 'nbd://localhost:PORT': TLS negotiation required = before option 7 (go) Did you forget a valid tls-creds? server reported: Option 0x7 not permitted before TLS qemu-nbd: TLS negotiation required before option 3 (list) -Did you forget a valid tls-creds? -server reported: Option 0x3 not permitted before TLS =20 =3D=3D check TLS works =3D=3D image: nbd://127.0.0.1:PORT @@ -37,14 +34,8 @@ file format: nbd virtual size: 64 MiB (67108864 bytes) disk size: unavailable exports available: 1 - export: '' size: 67108864 - flags: 0xced ( flush fua trim zeroes df cache fast-zero ) min block: 1 - opt block: 4096 - max block: 33554432 - available meta contexts: 1 - base:allocation =20 =3D=3D check TLS with different CA fails =3D=3D qemu-img: Could not open 'driver=3Dnbd,host=3D127.0.0.1,port=3DPORT,tls-cr= eds=3Dtls0': The certificate hasn't got a known issuer --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324671483643.1003593693395; Thu, 3 Mar 2022 08:24:31 -0800 (PST) Received: from localhost ([::1]:50058 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoFi-0005fp-3q for importer@patchew.org; Thu, 03 Mar 2022 11:24:30 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60202) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwq-0008Sh-Aj for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:05:00 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:45232) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwo-0007DW-5d for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:05:00 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-635-7PxGyUz0MKqXph88JM4Z3g-1; Thu, 03 Mar 2022 11:04:49 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 37FDA1854E21; Thu, 3 Mar 2022 16:04:48 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id A8644106A7B2; Thu, 3 Mar 2022 16:04:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q6uuNxe9+SnHsRS72Buj4S2RC4L90zMwJnLsvkssd0E=; b=FeLYi6UqL0Hz7htf3rkzbLp4XEGnhxgLaGAJv86v9wSesvgFQMI4fKeimTrJMU+KwlTzXe e2VLTEvh4I8yvf1t0wX1ibYrjzejBviFDafGJCjrZEy551SO9HMT2moKyDHjF+Z5edvkJF H6eMjTn6CnnhQW58+mNCVrgkGWqHuJ0= X-MC-Unique: 7PxGyUz0MKqXph88JM4Z3g-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 10/12] tests/qemu-iotests: validate NBD TLS with hostname mismatch Date: Thu, 3 Mar 2022 16:03:28 +0000 Message-Id: <20220303160330.2979753-11-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324672054100001 This validates that connections to an NBD server where the certificate hostname does not match will fail. It further validates that using the new 'tls-hostname' override option can solve the failure. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- tests/qemu-iotests/233 | 18 ++++++++++++++++++ tests/qemu-iotests/233.out | 15 +++++++++++++++ tests/qemu-iotests/common.tls | 7 ++++--- 3 files changed, 37 insertions(+), 3 deletions(-) diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 050267298d..09cfb7039b 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -106,6 +106,24 @@ $QEMU_IMG info --image-opts --object $obj2 \ $QEMU_NBD_PROG -L -b $nbd_tcp_addr -p $nbd_tcp_port --object $obj1 \ --tls-creds=3Dtls0 2>&1 | _filter_qemu_nbd_exports =20 +echo +echo "=3D=3D check TLS fail over TCP with mismatch hostname =3D=3D" +obj1=3Dtls-creds-x509,dir=3D${tls_dir}/client1,endpoint=3Dclient,id=3Dtls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=3Dnbd,host=3Dlocalhost,port=3D$nbd_tcp_port,tls-creds=3Dtls0 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ + --tls-creds=3Dtls0 | _filter_qemu_nbd_exports + +echo +echo "=3D=3D check TLS works over TCP with mismatch hostname and override = =3D=3D" +obj1=3Dtls-creds-x509,dir=3D${tls_dir}/client1,endpoint=3Dclient,id=3Dtls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=3Dnbd,host=3Dlocalhost,port=3D$nbd_tcp_port,tls-creds=3Dtls0,tl= s-hostname=3D127.0.0.1 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -b localhost -p $nbd_tcp_port --object $obj1 \ + --tls-creds=3Dtls0 --tls-hostname=3D127.0.0.1 | _filter_qemu_nbd_expor= ts + echo echo "=3D=3D check TLS with different CA fails =3D=3D" obj=3Dtls-creds-x509,dir=3D${tls_dir}/client2,endpoint=3Dclient,id=3Dtls0 diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index a1e45765b8..05abf470ac 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -37,6 +37,19 @@ exports available: 1 size: 67108864 min block: 1 =20 +=3D=3D check TLS fail over TCP with mismatch hostname =3D=3D +qemu-img: Could not open 'driver=3Dnbd,host=3Dlocalhost,port=3DPORT,tls-cr= eds=3Dtls0': Certificate does not match the hostname localhost +qemu-nbd: Certificate does not match the hostname localhost + +=3D=3D check TLS works over TCP with mismatch hostname and override =3D=3D +image: nbd://localhost:PORT +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +exports available: 1 + size: 67108864 + min block: 1 + =3D=3D check TLS with different CA fails =3D=3D qemu-img: Could not open 'driver=3Dnbd,host=3D127.0.0.1,port=3DPORT,tls-cr= eds=3Dtls0': The certificate hasn't got a known issuer qemu-nbd: The certificate hasn't got a known issuer @@ -54,6 +67,8 @@ qemu-img: Could not open 'driver=3Dnbd,host=3D127.0.0.1,p= ort=3DPORT,tls-creds=3Dtls0': F qemu-img: Could not open 'driver=3Dnbd,host=3D127.0.0.1,port=3DPORT,tls-cr= eds=3Dtls0': Failed to read option reply: Cannot read from TLS channel: Sof= tware caused connection abort =20 =3D=3D final server log =3D=3D +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Verify failed: No certificate was fou= nd. qemu-nbd: option negotiation failed: Verify failed: No certificate was fou= nd. qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHE= D-NAME is denied diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls index 6ba28a78d3..4a5760949d 100644 --- a/tests/qemu-iotests/common.tls +++ b/tests/qemu-iotests/common.tls @@ -118,12 +118,13 @@ tls_x509_create_server() caname=3D$1 name=3D$2 =20 + # We don't include 'localhost' in the cert, as + # we want to keep it unlisted to let tests + # validate hostname override mkdir -p "${tls_dir}/$name" cat > "${tls_dir}/cert.info" < Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324561419769.0489459015482; Thu, 3 Mar 2022 08:22:41 -0800 (PST) Received: from localhost ([::1]:42228 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoDv-0000Jh-KS for importer@patchew.org; Thu, 03 Mar 2022 11:22:39 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwp-0008On-2x for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:59 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:51067) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwk-0007DE-TR for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:04:57 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-537-u95kPDfRPLGV_hJRk7UMKA-1; Thu, 03 Mar 2022 11:04:51 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 57CE1801AAD; Thu, 3 Mar 2022 16:04:50 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id 883E9106A7B2; Thu, 3 Mar 2022 16:04:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jDM3MrDtT+S3ZefFI1Rwfbl/PYaT38zEBrJPIcxKaeY=; b=SM4sDn48S46IZUGd2aTwR2TewyKscSiIyNG6YMEwmTloQ3BCdYNYv3Tk+vp070x7oIv46j E2u7KVXR15pNG0G4QpO6KuocvnISVjkjmWbMNAjUALEvQW+4pHIeumGoZqzsQmP6cgedV2 5eDL2c31t3tXtzfy+FUoI75JyCr/0Jg= X-MC-Unique: u95kPDfRPLGV_hJRk7UMKA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 11/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets Date: Thu, 3 Mar 2022 16:03:29 +0000 Message-Id: <20220303160330.2979753-12-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324562682100001 This validates that connections to an NBD server running on a UNIX socket can use TLS, and require a TLS hostname override to pass certificate validation. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- tests/qemu-iotests/233 | 24 ++++++++++++++++++++++++ tests/qemu-iotests/233.out | 15 +++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 09cfb7039b..27b0a123d3 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -167,6 +167,30 @@ $QEMU_IMG info --image-opts \ driver=3Dnbd,host=3D$nbd_tcp_addr,port=3D$nbd_tcp_port,tls-creds=3Dtls= 0 \ 2>&1 | _filter_nbd =20 +nbd_server_stop + +nbd_server_start_unix_socket \ + --object tls-creds-x509,dir=3D${tls_dir}/server1,endpoint=3Dserver,id= =3Dtls0,verify-peer=3Don \ + --tls-creds tls0 \ + -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" + +echo +echo "=3D=3D check TLS fail over UNIX with no hostname =3D=3D" +obj1=3Dtls-creds-x509,dir=3D${tls_dir}/client1,endpoint=3Dclient,id=3Dtls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=3Dnbd,path=3D$nbd_unix_socket,tls-creds=3Dtls0 2>&1 | _filter_n= bd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=3Dtls0 \ + 2>&1 | _filter_qemu_nbd_exports + +echo +echo "=3D=3D check TLS works over UNIX with hostname override =3D=3D" +obj1=3Dtls-creds-x509,dir=3D${tls_dir}/client1,endpoint=3Dclient,id=3Dtls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=3Dnbd,path=3D$nbd_unix_socket,tls-creds=3Dtls0,tls-hostname=3D1= 27.0.0.1 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ + --tls-creds=3Dtls0 --tls-hostname=3D127.0.0.1 2>&1 | _filter_qemu_nbd= _exports + echo echo "=3D=3D final server log =3D=3D" cat "$TEST_DIR/server.log" | _filter_authz_check_tls diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index 05abf470ac..a00e4c5b08 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -66,6 +66,19 @@ read 1048576/1048576 bytes at offset 1048576 qemu-img: Could not open 'driver=3Dnbd,host=3D127.0.0.1,port=3DPORT,tls-cr= eds=3Dtls0': Failed to read option reply: Cannot read from TLS channel: Sof= tware caused connection abort qemu-img: Could not open 'driver=3Dnbd,host=3D127.0.0.1,port=3DPORT,tls-cr= eds=3Dtls0': Failed to read option reply: Cannot read from TLS channel: Sof= tware caused connection abort =20 +=3D=3D check TLS fail over UNIX with no hostname =3D=3D +qemu-img: Could not open 'driver=3Dnbd,path=3DSOCK_DIR/qemu-nbd.sock,tls-c= reds=3Dtls0': No hostname for certificate validation +qemu-nbd: No hostname for certificate validation + +=3D=3D check TLS works over UNIX with hostname override =3D=3D +image: nbd+unix://?socket=3DSOCK_DIR/qemu-nbd.sock +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +exports available: 1 + size: 67108864 + min block: 1 + =3D=3D final server log =3D=3D qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort @@ -73,4 +86,6 @@ qemu-nbd: option negotiation failed: Verify failed: No ce= rtificate was found. qemu-nbd: option negotiation failed: Verify failed: No certificate was fou= nd. qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHE= D-NAME is denied qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHE= D-NAME is denied +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort *** done --=20 2.34.1 From nobody Wed May 15 07:35:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646324931876512.662250458831; Thu, 3 Mar 2022 08:28:51 -0800 (PST) Received: from localhost ([::1]:59212 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nPoJu-0004U8-OM for importer@patchew.org; Thu, 03 Mar 2022 11:28:50 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60330) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnx6-0000GM-9X for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:05:17 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:37832) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nPnwy-0007Po-W6 for qemu-devel@nongnu.org; Thu, 03 Mar 2022 11:05:10 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-492-PpZ-GIMbM-6NN_15uUai3Q-1; Thu, 03 Mar 2022 11:05:06 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8DF3B1854E26; Thu, 3 Mar 2022 16:05:05 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id A8554106D5C6; Thu, 3 Mar 2022 16:04:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646323507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TfFYLRQUyhdm3uT+SkdNOK+sgAmO/4FmdIyixN9zvhc=; b=CFbSKdfEw5b54GyuHhsfag+Z51AiSmXXBNhqTIsS/qQNjaIFm1XL33W6KGAdDqCftG/YpK bWOvFOAjaYliR8ugaZV03irgNt4XTpivkJCEdGgzLAqoG7/5IXsIintFifVZ3q9Nyo4kdv w9EoHiJD+M/ukHk+2KGtaeQfQKoOpXk= X-MC-Unique: PpZ-GIMbM-6NN_15uUai3Q-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 12/12] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK Date: Thu, 3 Mar 2022 16:03:30 +0000 Message-Id: <20220303160330.2979753-13-berrange@redhat.com> In-Reply-To: <20220303160330.2979753-1-berrange@redhat.com> References: <20220303160330.2979753-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Vladimir Sementsov-Ogievskiy , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Hanna Reitz , Eric Blake Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1646324934467100001 This validates that connections to an NBD server running on a UNIX socket can use TLS with pre-shared keys (PSK). Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- tests/qemu-iotests/233 | 28 ++++++++++++++++++++++++++++ tests/qemu-iotests/233.out | 17 +++++++++++++++++ tests/qemu-iotests/common.tls | 24 ++++++++++++++++++++++++ 3 files changed, 69 insertions(+) diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 27b0a123d3..0488f3bbef 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -61,6 +61,8 @@ tls_x509_create_server "ca1" "server1" tls_x509_create_client "ca1" "client1" tls_x509_create_client "ca2" "client2" tls_x509_create_client "ca1" "client3" +tls_psk_create_creds "psk1" +tls_psk_create_creds "psk2" =20 echo echo "=3D=3D preparing image =3D=3D" @@ -191,6 +193,32 @@ $QEMU_IMG info --image-opts --object $obj1 \ $QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ --tls-creds=3Dtls0 --tls-hostname=3D127.0.0.1 2>&1 | _filter_qemu_nbd= _exports =20 + +echo +echo "=3D=3D check TLS works over UNIX with PSK =3D=3D" +nbd_server_stop + +nbd_server_start_unix_socket \ + --object tls-creds-psk,dir=3D${tls_dir}/psk1,endpoint=3Dserver,id=3Dtl= s0,verify-peer=3Don \ + --tls-creds tls0 \ + -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" + +obj1=3Dtls-creds-psk,dir=3D${tls_dir}/psk1,username=3Dpsk1,endpoint=3Dclie= nt,id=3Dtls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=3Dnbd,path=3D$nbd_unix_socket,tls-creds=3Dtls0 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ + --tls-creds=3Dtls0 2>&1 | _filter_qemu_nbd_exports + +echo +echo "=3D=3D check TLS fails over UNIX with mismatch PSK =3D=3D" +obj1=3Dtls-creds-psk,dir=3D${tls_dir}/psk2,username=3Dpsk2,endpoint=3Dclie= nt,id=3Dtls0 +$QEMU_IMG info --image-opts --object $obj1 \ + driver=3Dnbd,path=3D$nbd_unix_socket,tls-creds=3Dtls0 \ + 2>&1 | _filter_nbd +$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \ + --tls-creds=3Dtls0 2>&1 | _filter_qemu_nbd_exports + echo echo "=3D=3D final server log =3D=3D" cat "$TEST_DIR/server.log" | _filter_authz_check_tls diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out index a00e4c5b08..ecb36a2f97 100644 --- a/tests/qemu-iotests/233.out +++ b/tests/qemu-iotests/233.out @@ -7,6 +7,8 @@ Generating a signed certificate... Generating a signed certificate... Generating a signed certificate... Generating a signed certificate... +Generating a random key for user 'psk1' +Generating a random key for user 'psk2' =20 =3D=3D preparing image =3D=3D Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 @@ -79,6 +81,19 @@ exports available: 1 size: 67108864 min block: 1 =20 +=3D=3D check TLS works over UNIX with PSK =3D=3D +image: nbd+unix://?socket=3DSOCK_DIR/qemu-nbd.sock +file format: nbd +virtual size: 64 MiB (67108864 bytes) +disk size: unavailable +exports available: 1 + size: 67108864 + min block: 1 + +=3D=3D check TLS fails over UNIX with mismatch PSK =3D=3D +qemu-img: Could not open 'driver=3Dnbd,path=3DSOCK_DIR/qemu-nbd.sock,tls-c= reds=3Dtls0': TLS handshake failed: The TLS connection was non-properly ter= minated. +qemu-nbd: TLS handshake failed: The TLS connection was non-properly termin= ated. + =3D=3D final server log =3D=3D qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort @@ -88,4 +103,6 @@ qemu-nbd: option negotiation failed: TLS x509 authz chec= k for DISTINGUISHED-NAME qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHE= D-NAME is denied qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot rea= d from TLS channel: Software caused connection abort +qemu-nbd: option negotiation failed: TLS handshake failed: An illegal para= meter has been received. +qemu-nbd: option negotiation failed: TLS handshake failed: An illegal para= meter has been received. *** done diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls index 4a5760949d..b9c5462986 100644 --- a/tests/qemu-iotests/common.tls +++ b/tests/qemu-iotests/common.tls @@ -24,6 +24,7 @@ tls_x509_cleanup() { rm -f "${tls_dir}"/*.pem rm -f "${tls_dir}"/*/*.pem + rm -f "${tls_dir}"/*/*.psk rmdir "${tls_dir}"/* rmdir "${tls_dir}" } @@ -40,6 +41,18 @@ tls_certtool() rm -f "${tls_dir}"/certtool.log } =20 +tls_psktool() +{ + psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1 + if test "$?" =3D 0; then + head -1 "${tls_dir}"/psktool.log + else + cat "${tls_dir}"/psktool.log + fi + rm -f "${tls_dir}"/psktool.log +} + + tls_x509_init() { (certtool --help) >/dev/null 2>&1 || \ @@ -176,3 +189,14 @@ EOF =20 rm -f "${tls_dir}/cert.info" } + +tls_psk_create_creds() +{ + name=3D$1 + + mkdir -p "${tls_dir}/$name" + + tls_psktool \ + --pskfile "${tls_dir}/$name/keys.psk" \ + --username "$name" +} --=20 2.34.1