[Nbd] [PATCHv2 0/6] Introduce TLS on nbdserver
This is an RFC patch to introduce TLS support on nbdserver.
This is *NOT* production ready by any means, and is submitted for comment.
I have added crypto-gnutls.[ch] from:
github.com/abligh/tlsproxy
which is my attempt at an MIT licenced GnuTLS proxy. The proxy element
is standalone, and is incorporated here. Whilst it's not GPL licensed,
MIT is compatible. Also it uses GNU format indentation (sorry about that).
However, it (together with buffer.[ch]) is almost entirely self-contained.
The same approach (believe it or not) could be taken for nbdclient (which
is my plan). As the proxy runs as an independent process, nbdclient can
launch it, then call the DOIT ioctl() on one end of the created socketpair().
The proxy process then drops into the background and closes after
either the kernel closes the socket or the other end closes the socket.
I have tested this to a minimal extent against qemu-img (i.e. qemu
acting as a client). The problem (see nbdgeneral ad nauseam) we have
with NBD_CMD_DISC means that we see false reports of 'magic number mismatch'.
This appears to be because read() returns 0 in negotiate(), and nbdserver
does not check for this. It then reverses (again) the *previous* magic
number, using ntohll(), and this causes the 'magic number mismatch' issue.
This isn't really a problem but causes confusing errors.
The first two patches are preparatory work, and the third patch actually
adds NBD_OPT_STARTTLS. The comment in that patch shows what is left to
figure out.
Changes from v1:
* Added support for TLS to nbd-tester-client. Weirdly it passed first
time.
* In doing so, folded into this series the two patches to
ndb-tester-client.c into this series. Note the FIXED_NEWSTYLE patch
earlier missed host/network ordering.
* Per Wouter, use AM_CONDITIONAL rather than #ifdef'ing out files
* Per Wouter, do the test for GnuTLS later.
Alex Bligh (6):
Make nbd-tester-client use FIXED_NEWSTYLE negotiation
Fix whitespacing and indentation in nbd-tester-client.c
Add GnuTLS infrastructure
Add options for TLS support for server
Add TLS support to server
Add TLS testing to nbd-tester-client.c
Makefile.am | 13 +-
buffer.c | 225 +++++++
buffer.h | 45 ++
cliserv.h | 1 +
configure.ac | 15 +
crypto-gnutls.c | 610 ++++++++++++++++++
crypto-gnutls.h | 43 ++
man/nbd-server.5.in.sgml | 65 ++
nbd-server.c | 204 +++++-
nbd.h | 2 +
nbdsrv.h | 1 +
tests/run/Makefile.am | 13 +-
tests/run/certs/ca-cert.pem | 20 +
tests/run/certs/ca-key.pem | 32 +
tests/run/certs/ca.info | 3 +
tests/run/certs/client-cert.pem | 23 +
tests/run/certs/client-key.pem | 32 +
tests/run/certs/client.info | 8 +
tests/run/certs/server-cert.pem | 22 +
tests/run/certs/server-key.pem | 32 +
tests/run/certs/server.info | 5 +
tests/run/nbd-tester-client.c | 1358 ++++++++++++++++++++++++---------------
tests/run/simple_test | 45 ++
23 files changed, 2276 insertions(+), 541 deletions(-)
create mode 100644 buffer.c
create mode 100644 buffer.h
create mode 100644 crypto-gnutls.c
create mode 100644 crypto-gnutls.h
create mode 100644 tests/run/certs/ca-cert.pem
create mode 100644 tests/run/certs/ca-key.pem
create mode 100644 tests/run/certs/ca.info
create mode 100644 tests/run/certs/client-cert.pem
create mode 100644 tests/run/certs/client-key.pem
create mode 100644 tests/run/certs/client.info
create mode 100644 tests/run/certs/server-cert.pem
create mode 100644 tests/run/certs/server-key.pem
create mode 100644 tests/run/certs/server.info
--
1.9.1
Reply to: