All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
	"Hanna Reitz" <hreitz@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	"open list:Block layer core" <qemu-block@nongnu.org>
Subject: [PULL 11/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets
Date: Mon,  7 Mar 2022 19:44:15 -0600	[thread overview]
Message-ID: <20220308014419.3056549-12-eblake@redhat.com> (raw)
In-Reply-To: <20220308014419.3056549-1-eblake@redhat.com>

From: Daniel P. Berrangé <berrange@redhat.com>

This validates that connections to an NBD server running on a UNIX
socket can use TLS, and require a TLS hostname override to pass
certificate validation.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-12-berrange@redhat.com>
[eblake: squash in rebase fix]
Tested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
---
 tests/qemu-iotests/233     | 24 ++++++++++++++++++++++++
 tests/qemu-iotests/233.out | 16 ++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233
index c24d877be88e..442fd1378c1d 100755
--- a/tests/qemu-iotests/233
+++ b/tests/qemu-iotests/233
@@ -167,6 +167,30 @@ $QEMU_IMG info --image-opts \
     driver=nbd,host=$nbd_tcp_addr,port=$nbd_tcp_port,tls-creds=tls0 \
     2>&1 | _filter_nbd

+nbd_server_stop
+
+nbd_server_start_unix_socket \
+    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
+    --tls-creds tls0 \
+    -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
+
+echo
+echo "== check TLS fail over UNIX with no hostname =="
+obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
+$QEMU_IMG info --image-opts --object $obj1 \
+    driver=nbd,path=$nbd_unix_socket,tls-creds=tls0 2>&1 | _filter_nbd
+$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 --tls-creds=tls0 \
+    2>&1 | _filter_qemu_nbd_exports
+
+echo
+echo "== check TLS works over UNIX with hostname override =="
+obj1=tls-creds-x509,dir=${tls_dir}/client1,endpoint=client,id=tls0
+$QEMU_IMG info --image-opts --object $obj1 \
+    driver=nbd,path=$nbd_unix_socket,tls-creds=tls0,tls-hostname=127.0.0.1 \
+    2>&1 | _filter_nbd
+$QEMU_NBD_PROG -L -k $nbd_unix_socket --object $obj1 \
+    --tls-creds=tls0 --tls-hostname=127.0.0.1  2>&1 | _filter_qemu_nbd_exports
+
 echo
 echo "== final server log =="
 cat "$TEST_DIR/server.log" | _filter_authz_check_tls
diff --git a/tests/qemu-iotests/233.out b/tests/qemu-iotests/233.out
index d42611bf74a6..6e55be779946 100644
--- a/tests/qemu-iotests/233.out
+++ b/tests/qemu-iotests/233.out
@@ -68,6 +68,20 @@ read 1048576/1048576 bytes at offset 1048576
 qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort
 qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort

+== check TLS fail over UNIX with no hostname ==
+qemu-img: Could not open 'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0': No hostname for certificate validation
+qemu-nbd: No hostname for certificate validation
+
+== check TLS works over UNIX with hostname override ==
+image: nbd+unix://?socket=SOCK_DIR/qemu-nbd.sock
+file format: nbd
+virtual size: 64 MiB (67108864 bytes)
+disk size: unavailable
+exports available: 1
+ export: ''
+  size:  67108864
+  min block: 1
+
 == final server log ==
 qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort
 qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort
@@ -75,4 +89,6 @@ qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
 qemu-nbd: option negotiation failed: Verify failed: No certificate was found.
 qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied
 qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied
+qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort
+qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort
 *** done
-- 
2.35.1



  parent reply	other threads:[~2022-03-08  1:51 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-08  1:44 [PULL 00/15] NBD patches for 7.0-rc0 Eric Blake
2022-03-08  1:44 ` [PULL 01/15] crypto: mandate a hostname when checking x509 creds on a client Eric Blake
2022-03-08  1:44 ` [PULL 02/15] block: pass desired TLS hostname through from block driver client Eric Blake
2022-03-08  1:44 ` [PULL 03/15] block/nbd: support override of hostname for TLS certificate validation Eric Blake
2022-03-08  1:44 ` [PULL 04/15] qemu-nbd: add --tls-hostname option " Eric Blake
2022-03-08  1:44 ` [PULL 05/15] block/nbd: don't restrict TLS usage to IP sockets Eric Blake
2022-03-08  1:44 ` [PULL 06/15] tests/qemu-iotests: add QEMU_IOTESTS_REGEN=1 to update reference file Eric Blake
2022-03-08  1:44 ` [PULL 07/15] tests/qemu-iotests: expand _filter_nbd rules Eric Blake
2022-03-08  1:44 ` [PULL 08/15] tests/qemu-iotests: introduce filter for qemu-nbd export list Eric Blake
2022-03-08  1:44 ` [PULL 09/15] tests/qemu-iotests: convert NBD TLS test to use standard filters Eric Blake
2022-03-08  1:44 ` [PULL 10/15] tests/qemu-iotests: validate NBD TLS with hostname mismatch Eric Blake
2022-03-08  1:44 ` Eric Blake [this message]
2022-03-08  1:44 ` [PULL 12/15] tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK Eric Blake
2022-03-08  1:44 ` [PULL 13/15] nbd/server: Minor cleanups Eric Blake
2022-03-08  1:44 ` [PULL 14/15] qemu-io: Utilize 64-bit status during map Eric Blake
2022-03-08  1:44 ` [PULL 15/15] qemu-io: Allow larger write zeroes under no fallback Eric Blake
2022-03-09 15:50 ` [PULL 00/15] NBD patches for 7.0-rc0 Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220308014419.3056549-12-eblake@redhat.com \
    --to=eblake@redhat.com \
    --cc=berrange@redhat.com \
    --cc=hreitz@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.