[Nbd] [PATCHv4 4/6] Add TLS testing to nbd-tester-client.c
- To: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
- Cc: Wouter Verhelst <w@...112...>
- Subject: [Nbd] [PATCHv4 4/6] Add TLS testing to nbd-tester-client.c
- From: Alex Bligh <alex@...872...>
- Date: Tue, 12 Apr 2016 16:00:09 +0100
- Message-id: <1460473211-40921-5-git-send-email-alex@...872...>
- In-reply-to: <1460473211-40921-1-git-send-email-alex@...872...>
- References: <1460473211-40921-1-git-send-email-alex@...872...>
This commit adds TLS testing to nbd-tester-client and 'make check'.
If TLS is not compiled in, then the test is skipped.
Signed-off-by: Alex Bligh <alex@...872...>
---
nbd.h | 2 +
tests/run/Makefile.am | 11 ++-
tests/run/certs/README.md | 60 ++++++++++++++++
tests/run/certs/ca-cert.pem | 20 ++++++
tests/run/certs/ca-key.pem | 32 +++++++++
tests/run/certs/ca.info | 3 +
tests/run/certs/client-cert.pem | 23 ++++++
tests/run/certs/client-key.pem | 32 +++++++++
tests/run/certs/client.info | 8 +++
tests/run/certs/server-cert.pem | 22 ++++++
tests/run/certs/server-key.pem | 32 +++++++++
tests/run/certs/server.info | 5 ++
tests/run/nbd-tester-client.c | 155 +++++++++++++++++++++++++++++++++++++++-
tests/run/simple_test | 45 ++++++++++++
14 files changed, 447 insertions(+), 3 deletions(-)
create mode 100644 tests/run/certs/README.md
create mode 100644 tests/run/certs/ca-cert.pem
create mode 100644 tests/run/certs/ca-key.pem
create mode 100644 tests/run/certs/ca.info
create mode 100644 tests/run/certs/client-cert.pem
create mode 100644 tests/run/certs/client-key.pem
create mode 100644 tests/run/certs/client.info
create mode 100644 tests/run/certs/server-cert.pem
create mode 100644 tests/run/certs/server-key.pem
create mode 100644 tests/run/certs/server.info
diff --git a/nbd.h b/nbd.h
index 732c605..90c97a6 100644
--- a/nbd.h
+++ b/nbd.h
@@ -59,6 +59,8 @@ enum {
#define NBD_REPLY_MAGIC 0x67446698
/* Do *not* use magics: 0x12560953 0x96744668. */
+#define NBD_OPT_REPLY_MAGIC 0x3e889045565a9LL
+
/*
* This is the packet used for communication between client and
* server. All data are in network byte order.
diff --git a/tests/run/Makefile.am b/tests/run/Makefile.am
index 29e4f7f..60fdb25 100644
--- a/tests/run/Makefile.am
+++ b/tests/run/Makefile.am
@@ -1,5 +1,10 @@
+if GNUTLS
+TLSSRC = $(top_srcdir)/crypto-gnutls.c $(top_srcdir)/crypto-gnutls.h $(top_srcdir)/buffer.c $(top_srcdir)/buffer.h
+else
+TLSSRC =
+endif
TESTS_ENVIRONMENT=$(srcdir)/simple_test
-TESTS = cfg1 cfgmulti cfgnew cfgsize write flush integrity dirconfig list rowrite tree rotree unix #integrityhuge
+TESTS = cfg1 cfgmulti cfgnew cfgsize write flush integrity dirconfig list rowrite tree rotree unix tls #integrityhuge tlshuge
check_PROGRAMS = nbd-tester-client
nbd_tester_client_SOURCES = nbd-tester-client.c $(top_srcdir)/cliserv.h $(top_srcdir)/netdb-compat.h $(top_srcdir)/cliserv.c
if GNUTLS
@@ -8,7 +13,7 @@ endif
nbd_tester_client_CFLAGS = @CFLAGS@ @GLIB_CFLAGS@
nbd_tester_client_CPPFLAGS = -I$(top_srcdir)
nbd_tester_client_LDADD = @GLIB_LIBS@
-EXTRA_DIST = integrity-test.tr integrityhuge-test.tr simple_test
+EXTRA_DIST = integrity-test.tr integrityhuge-test.tr simple_test certs/client-key.pem certs/client-cert.pem certs/server-cert.pem certs/ca-cert.pem certs/ca.info certs/client.info certs/server-key.pem certs/ca-key.pem certs/server.info
cfg1:
cfgmulti:
cfgnew:
@@ -23,3 +28,5 @@ rowrite:
tree:
rotree:
unix:
+tls:
+tlshuge:
diff --git a/tests/run/certs/README.md b/tests/run/certs/README.md
new file mode 100644
index 0000000..42ab727
--- /dev/null
+++ b/tests/run/certs/README.md
@@ -0,0 +1,60 @@
+This directory contains test certificates used for NBD's test suite.
+
+They are:
+
+* `client-key.pem` - client private key
+* `client-cert.pem` - client public key
+* `server-key.pem` - server private key
+* `server-cert.pem` - server public key
+* `ca-key.pem` - certificate authority private key
+* `ca-cert.pem` - certificate authority public key
+
+The `*.info` files are generated using the procedure below.
+
+Certificates can be made using the procedure at: https://qemu.weilnetz.de/qemu-doc.html
+using GnuTLS's certtool tool.
+
+Here's how:
+
+First make a CA:
+
+ # certtool --generate-privkey > ca-key.pem
+
+And give it a public key:
+
+ # cat > ca.info <<EOF
+ cn = Name of your organization
+ ca
+ cert_signing_key
+ EOF
+ # certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
+
+Next issue a server certificate:
+
+ # cat > server.info <<EOF
+ organization = Name of your organization
+ cn = server.foo.example.com
+ tls_www_server
+ encryption_key
+ signing_key
+ EOF
+ # certtool --generate-privkey > server-key.pem
+ # certtool --generate-certificate --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --load-privkey server-key.pem --template server.info --outfile server-cert.pem
+
+Note the `cn` needs to match the hostname that nbd-client uses to connect (or the hostname specified with `-H` on the command line).
+
+And finally issue a client certificate:
+
+ # cat > client.info <<EOF
+ country = GB
+ state = London
+ locality = London
+ organization = Name of your organization
+ cn = client.foo.example.com
+ tls_www_client
+ encryption_key
+ signing_key
+ EOF
+ # certtool --generate-privkey > client-key.pem
+ # certtool --generate-certificate --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --load-privkey client-key.pem --template client.info --outfile client-cert.pem
+
diff --git a/tests/run/certs/ca-cert.pem b/tests/run/certs/ca-cert.pem
new file mode 100644
index 0000000..a3b8ba0
--- /dev/null
+++ b/tests/run/certs/ca-cert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAgOgAwIBAgIEVwQNzDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpB
+bGV4IEJsaWdoMB4XDTE2MDQwNTE5MTEwOFoXDTE3MDQwNTE5MTEwOFowFTETMBEG
+A1UEAxMKQWxleCBCbGlnaDCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggEx
+AMTtsWhYOU8iEFlGfkCb+RbqeyansOHjVS90jLNXSmd8GLS9vpfLogR3b4Vc9jCc
+aJuQqJhSvhP5JDOuEycEN3u8Yhemi1AEPiF6ZIRczTxw4cWgR6km0g4AoaSFTWD7
+baQkqKFygawYY8rDS0Q7Op+POqpCUz7irRSGbig3FVA3QLoGGBkiY8baB795XP6r
+SBmyURWnPNVpsmFf0c5GbLb+CriUkmaR3Hf9cUj/Q2fowRJ3zBSukl4Xiw20Aj6T
+PL/k6yFJvqX5j4BtWUNG6aji6ckbtg1gnEW65wPYw1Mzw5wGFA73u+1lT5/vVhmA
+CZaCKuu5wKGJe7fHhdvE23BPcJZ699/miRBERLnOVQnO6t3SAgMOS3yQ5TlPczXd
+P9GBfnk6FaVjvY98nPgQeAkCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNV
+HQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBS+f9HxvzeLlZ1ubwEC1PC7ZREDnjANBgkq
+hkiG9w0BAQsFAAOCATEAvayiGrM7ouetVPZkxKF0qIWMsXh29gNuB7L4iHUTsIQn
+3uB/EdrtvWCZw9S++y87XEoxbyBjX4GRJiB2/6+098YGA5QBa2+f2rtZeMbeGsDz
+pZmvwXNBJOyZM7GY7c+yvsrPnUdd25cWXFslQAWvvNuRyW/oTbVVlAT36UJaMBDh
+uteuQT33AH+RU49ZHZrSEaMeM9mXOPquLkHPsXiG4XHLTBZnVj6Y90iz7SXRRg6s
+u2q4kiej8Jy9KlcPKgpbvij3tKmYuBpadQrVGG8U2mRFWuc2561cIWQiLWiRvPM+
+GjlfmyIwkUoLjo54qaCOE6sIKAX1bw/JVZeHrVvvjeEnqCfnnJyfOicdG7eW0BjI
+3016pFiSL7Eqiei9ltMFYoag6plz1mAAOudFZUQKhg==
+-----END CERTIFICATE-----
diff --git a/tests/run/certs/ca-key.pem b/tests/run/certs/ca-key.pem
new file mode 100644
index 0000000..ed76fd8
--- /dev/null
+++ b/tests/run/certs/ca-key.pem
@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIFewIBAAKCATEAxO2xaFg5TyIQWUZ+QJv5Fup7Jqew4eNVL3SMs1dKZ3wYtL2+
+l8uiBHdvhVz2MJxom5ComFK+E/kkM64TJwQ3e7xiF6aLUAQ+IXpkhFzNPHDhxaBH
+qSbSDgChpIVNYPttpCSooXKBrBhjysNLRDs6n486qkJTPuKtFIZuKDcVUDdAugYY
+GSJjxtoHv3lc/qtIGbJRFac81WmyYV/RzkZstv4KuJSSZpHcd/1xSP9DZ+jBEnfM
+FK6SXheLDbQCPpM8v+TrIUm+pfmPgG1ZQ0bpqOLpyRu2DWCcRbrnA9jDUzPDnAYU
+Dve77WVPn+9WGYAJloIq67nAoYl7t8eF28TbcE9wlnr33+aJEEREuc5VCc7q3dIC
+Aw5LfJDlOU9zNd0/0YF+eToVpWO9j3yc+BB4CQIDAQABAoIBMAUzK4yQS88ZnKnm
+0R2eoLior2DJa8PDL3Ql1TNFGktaPQLEwdwbPed1SeYRGtUUxDRbYQBIqwk2+mw8
+6/eLRnXHdyWdua7+ta9HnpDaLHcsmeGQhmPiiQhinuILvQvTB8WeTC+bKO5k5Hmt
+p3ahQ76D1y44ux79eEmC9TSto6vvEY/36jn7rPvKtQqqxzhYSHqZOUfjlxkheeaG
+3xPzL+D2CsU2Qxqv4UwLzO4RcswyI9c1TzOWsXR0N8YRN2eLu+E7KlpXaa9WBBvt
+F/LYLM/y8+Wcm5yzUYOcobdnV+Y3zzjxJLg0BNM2NVVa3+W07RpNX+tqfqhCtAaO
+suWV0Sk/1XZuPA7bgamVGzJdDY6muBa3kaI/LOTknp41WViQVHz3kiSDvVLoWMGm
+pqNxrMECgZkAxZ8eCuUBI0bP5f265nA9/cI0YLYPa2mSqzTwjo2/8FPKzvcefuYo
+uQ6oMAezxGD4+PapZUMRD5sWo3Xq1iC2pdHHTdkCz58H7X37VoT0zItaVPC+dv5l
+6rJyzIC/gge/JnMOtsv0LQ4qvkSrsgPfiQKfXgUmmypTjfzwSrympJ4AdqEaF0xj
+HaENNf8CtTMEONuxJn5WPfkCgZkA/xop3sFKC80+Fgv8wmG66I8DIebVYiSDMy3C
+pjSfVXZp/fNgjoywuFyvqcpm21CC7RaRmZ9LkyzTLSqoAKVxpFwc0shNgwr6SYrw
++dhOrFWvea0pu7zR9P3gvJvh5gY/KKC0J9qs2D0pGm0TB0UNEARbx8q8ATiSQdDh
+qfz73GlTCaesJGArDhmp5Jv2dSLCY1fw/shhzpECgZgpJf6Nai2YeNAlJXXbMZfW
+1K8vS/ld9jeR6o4EQMOseOYLvizdY3MrRUAD8DagN0jgHgwbh6FvzG0kUBM7zsf5
+Mvr63KrXLFfsPYUt+LU4OfPvJ8mg4Uu7WLjKmCxIGPDWQrLXoRQQpZiE0aumf2P2
+FVO1sgDd4ixPrlEiXrGcKUITcWwLWd5xdu1XRuf7bsn8RNJYH4o5kQKBmQCBJiLK
+dnrhTLBBAyKc2lOBB14jnLSs8iVGFMW11XBRGRkCC2P35zxUqf/46tJ19+XA2Csw
+Zhgh05C6Dh1t7lSBTGz/PY8YZ8dc0i27n4n874heBo/ZTvfQm3NaqWSNSt5Q2EM8
+5hWZiCU2DsCSbp/1Wu+IT5gs2hIZpgGJSN3Nsbjra2rYI6PIiK+dYGQ+2zEkkFIe
++x2hMQKBmBjd7rzaRqEv30lJxTeZgH+P7mKY4gf/WqIh1TPFoMkzn6MNNoMyYNR1
+EOyEPNtoOhqOYPJAZxhHoCkFWX23ftEMi8xTsq8iOMk00mhyjJ6OxPZ66ThKg3Xa
+WqIb0AmYc4yEVz7rRuZU8cJ+K29lFekDZceiQ0RX2gKq5UR/EnP9D1sI1oMz4Qeu
+H7PSUWdfAo/JvD0lwFx7
+-----END RSA PRIVATE KEY-----
diff --git a/tests/run/certs/ca.info b/tests/run/certs/ca.info
new file mode 100644
index 0000000..c1dbf84
--- /dev/null
+++ b/tests/run/certs/ca.info
@@ -0,0 +1,3 @@
+cn = Alex Bligh
+ca
+cert_signing_key
diff --git a/tests/run/certs/client-cert.pem b/tests/run/certs/client-cert.pem
new file mode 100644
index 0000000..024627c
--- /dev/null
+++ b/tests/run/certs/client-cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0DCCAoigAwIBAgIEVwQVoTANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpB
+bGV4IEJsaWdoMB4XDTE2MDQwNTE5NDQzM1oXDTE3MDQwNTE5NDQzM1owZzELMAkG
+A1UEBhMCR0IxIjAgBgNVBAoTGU5hbWUgb2YgeW91ciBvcmdhbml6YXRpb24xDzAN
+BgNVBAcTBkxvbmRvbjEPMA0GA1UECBMGTG9uZG9uMRIwEAYDVQQDEwkxMjcuMC4w
+LjEwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCYJV0OtsXmc5uqM7cU
+wIg4aiFi1BJrVYf3RuGyrjCYujfc5mRrCEusRnurlpy+oGYNhYcNdb4oqUK1cauG
+BHTExcHUtoTjyVIm+S4KeeODxC6l5Mi/1BgTWPv68coSKz337FtXNuxmANjV+Sm6
+ufrj5asuRWNlT2WOUQrN9nLcQOBA01KKd8AlP77p/OCGgb2SbirzHupdr6Kq15t2
+C6cUKnimuGNJ9RZ232X+F5ElepVhSwKx5GnF9KMXyH2IevjLd1EuxUQGkL+qe7eM
+FGaJwjEGzF1fk7/H3Q8h4jNN0SDwVXhzQYOUXFGHMkS/pO02Q4NPEbuAu8Bq4R4Y
+tsOfOekZNIu7ZDXMF7VcavT8s08Gpox5bbL5GuReiQnKit4j4cwLV4FK2FotcLFn
+m9fRAgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
+DwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQUsJtJ3mMm9H0IKchUGLYwOhICHzQw
+HwYDVR0jBBgwFoAUvn/R8b83i5Wdbm8BAtTwu2URA54wDQYJKoZIhvcNAQELBQAD
+ggExAEIpE28dh1mhVrhYJydawfRasLeVbyDZLXww9ZGgMVzIJL19xYMUjQzoEPQe
+H/jHgoDhf5uOxL7FPZ1BxQcnovG/7LSU76uvdQHOB5NLPHpvQ5OhMZvdNT37eaV8
+YDhLDO4M1TLmUu+B7JSZ15GVxN+a+CUy+/mHbywZFZTqeYWZI2vroXYlqYxy6q3W
+iJ/2UyhiWHbn//0uOJ8XPD40ZMn3u2DSkdGqOi42KEmYb8fpsMDl4f9IuKqcSxdT
+z+XW9DCDB7TSGN+A1OU7XdJM+Z6Ge6XYbQbddU7acjytv7OGeVMQYuG0V6isycUH
+JTiXKIzKUfWdj2T2ucMngjljS4L3OxzGTH1f6kk7PChyQBkBb5FnmCjx7juXQza0
+V5ywbG7p3y5WGg9ntQ+cxxUQmA0=
+-----END CERTIFICATE-----
diff --git a/tests/run/certs/client-key.pem b/tests/run/certs/client-key.pem
new file mode 100644
index 0000000..401425c
--- /dev/null
+++ b/tests/run/certs/client-key.pem
@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIFewIBAAKCATEAmCVdDrbF5nObqjO3FMCIOGohYtQSa1WH90bhsq4wmLo33OZk
+awhLrEZ7q5acvqBmDYWHDXW+KKlCtXGrhgR0xMXB1LaE48lSJvkuCnnjg8QupeTI
+v9QYE1j7+vHKEis99+xbVzbsZgDY1fkpurn64+WrLkVjZU9ljlEKzfZy3EDgQNNS
+infAJT++6fzghoG9km4q8x7qXa+iqtebdgunFCp4prhjSfUWdt9l/heRJXqVYUsC
+seRpxfSjF8h9iHr4y3dRLsVEBpC/qnu3jBRmicIxBsxdX5O/x90PIeIzTdEg8FV4
+c0GDlFxRhzJEv6TtNkODTxG7gLvAauEeGLbDnznpGTSLu2Q1zBe1XGr0/LNPBqaM
+eW2y+RrkXokJyoreI+HMC1eBSthaLXCxZ5vX0QIDAQABAoIBMAD8QL8vLQOd5aex
+qP7Kzarw1xOfLATTlsDvpfoY/W/8+Pnx6L8K7cdmtBucbLzxbWbpGQf3isbVlcxh
+30jL0iHxW5zWKIkQUmMI2i9HzmeWQ/4MpxH40VcnRzuxMhWiOoVP2EgxHcax/j/l
+tKHD5Dyi8Gi6grjXPGEhKVGhfWzP/yE4BqphUX1aG1MP8yNkhYbhwOIvv9B56Wzx
+4G4UXMIdAU6TtVbLSJ5OHSWtAZFaHsyZ/TqFqHezfFbegPGGvhsfpYucZGCId5o3
+0AXkvZFBHc/zvjUPkFXOr86nHySNuYBKdcKY9B+zt3HCur7DZPbVUdFxLMTmvbyO
+v1QEzoQur5A3+5MwRo7HvE1zZtSozDsRi8/pptgtn2uUxNFUTaFtd3QBJYZUOuWA
+kpSAMJkCgZkAwLXSKx6gCAf0nxefhDAruPWzM2JhtTvN2lL5chYxTd+J8EGTw4cG
+WaGtJWJuISACoao6GI7ShNDyphH+eeAE4BBB2mAzTB2WNKIv2xC5EkROy1PLOvt4
+6prgb98g1pWMAl0MY6w8h+hADJK7UmhkPMzYGT1MTyGcPgG86OpLDz249saGKE3j
+rfrJ2owmZKWy1gGKdFdwQS0CgZkAyh0WFZhumKPIIn9ZaLy9Tm36BOmvB1fF0xi7
+ceX6g4uuQA8Rr7WywUOlTVhlZAUCga0deYsvxTbnEuw8vuYCgMSTq8tFN1dJNeUs
+3MkqevFCt0fchkc2peNGUbZl/NwX+UqLukNh9MNInlZZdqjbqQG2XLANMNnKP7JH
+Udefmm/c+4Oij9MbLZWTVTH8p12T80tUhclwr7UCgZh8U5FA4mQqaj+GeC4gkRdU
+H6e6KemRjAC1rrxhvzGV5PbP+u7CwZT2NJlJOiSE2Gr6M6GBgHsO1uMFAyzjIgTj
+LXne0humKpxiXpRzR2mvAES5ZtkBt4V+DedoJVLBPf/y8mbw0wjGQa84rV2Ov+yT
+UTDFr8dQcgWj92kR9z3vmkl/Y/rfe8i80MRza+HFIyWqbZoOju7MDQKBmB2/djar
+fuu8f4KEV/aQgRSAH2KFuptMEfPmGgDDpsGh133aOfIwviSv/i6KKjI0go/vmP0A
+vYE7eXtRhgda91dYl5ubiY6BrGbgWmAMw9HgnL85Nn4VETgNYZY5UH2NL4IjtLkv
+ncVW0ONtNjG+3MXdWKf/yZE9HQWPCexD3lvuxwnF8DFXExL8hvjtKJDBtzsCBWjD
+o3BZAoGZAIznPEQMvB7oLMcAj9cBM71E9NqTxlQC2VkH4jsEKN7oOMBH12BZO3FP
+9Jv/j3M8pnzvElhevEd601542oFo0ovXZf2l9QZJxUwZ+IUd0t4/pr/dc0u3ka/y
+0iIKFePsrpsoThCTPGwsrXmoGHP6MIyH6ql6eDdPvcZ21Bu4hIP5n2C/LkvsNmpT
+BJ2oRU18SUMAgYFdHXtK
+-----END RSA PRIVATE KEY-----
diff --git a/tests/run/certs/client.info b/tests/run/certs/client.info
new file mode 100644
index 0000000..460a889
--- /dev/null
+++ b/tests/run/certs/client.info
@@ -0,0 +1,8 @@
+country = GB
+state = London
+locality = London
+organization = Name of your organization
+cn = 127.0.0.1
+tls_www_client
+encryption_key
+signing_key
diff --git a/tests/run/certs/server-cert.pem b/tests/run/certs/server-cert.pem
new file mode 100644
index 0000000..d1dd018
--- /dev/null
+++ b/tests/run/certs/server-cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDojCCAlqgAwIBAgIEVwQVmDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpB
+bGV4IEJsaWdoMB4XDTE2MDQwNTE5NDQyNFoXDTE3MDQwNTE5NDQyNFowOTEjMCEG
+A1UEChMaTmFtZSAgb2YgeW91ciBvcmdhbml6YXRpb24xEjAQBgNVBAMTCTEyNy4w
+LjAuMTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExAKEpT/f21OpD/wpJ
+JwrK1H4nyptstlyAoM07zGWJ9+aIcuarCoDIH1oElPHHpXMZLuCVrDpDmCV0oSjM
+DCOAumLTwXrdz/UoNeYMsVWW1tgbeKeSBr+y4XQ4w9wEwcFaPslRwOqZLfvgoJPu
+kIjElDoGKBt+CsDuwfYjtjs1kjh/9mN7gxVVjU4o69wAtB5gyXr0ugd0vVQ7F0m+
+J+nRPmgfmuwAVmAth2mSLV+hcvl1C66RE/PX7OaEH47Yjpai24+dTursh8RfCtrr
+/y04z2/4uwg6aF/gByWpUjXxKIv732xKA8Ith53lxfMWwQCcoIZzJEkIhE5Ku1GO
+i09e4Tsf1Lc/Ovc/wtHXKs0nKtuZ7GmxwVpy9r87KUnrL3tdWZK0HWv42F9MGmNw
+4i+JQz8CAwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcD
+ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRvUFyuBqe0M7QgS7I+UP4sKVkm
+RzAfBgNVHSMEGDAWgBS+f9HxvzeLlZ1ubwEC1PC7ZREDnjANBgkqhkiG9w0BAQsF
+AAOCATEATsdpapQthnvmrkrsTFcE5yRjLOxFCAkZarxouxVjanEr2oNg3PgB8VFI
+wrtqgKuOIqXtEKLjgrzOD2illDOjO+7GDm6TwvrYP0gAulSFntJ/3HIpiD4P0YrB
+kQMFpNA18diSqBSF8oh0Utp/errrqje5wSIvZ4160ERiOeb1bZRIP4GjE9SqGM4D
+zhSPoxASHMIglFCdkrKRvJBcwbhz90+LJduy5zqxDJzNlQH/nhy4C1vCNYigAFg2
+FiuCozJXfh1xPLP06PNkoQrs8fjLzQ13EvbXo2O/CmGpPwNVM7cguYsUYdXkSUDD
+oZ97wlMoi8DtNU9Lqq9RVuHGe79mBARitSKmngm6zaPlJFT0YPpCsc24PkO+l69o
+BKSnicqUVnUdM9GOE9e/CgHKxbWCUw==
+-----END CERTIFICATE-----
diff --git a/tests/run/certs/server-key.pem b/tests/run/certs/server-key.pem
new file mode 100644
index 0000000..957227c
--- /dev/null
+++ b/tests/run/certs/server-key.pem
@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIFegIBAAKCATEAoSlP9/bU6kP/CkknCsrUfifKm2y2XICgzTvMZYn35ohy5qsK
+gMgfWgSU8celcxku4JWsOkOYJXShKMwMI4C6YtPBet3P9Sg15gyxVZbW2Bt4p5IG
+v7LhdDjD3ATBwVo+yVHA6pkt++Cgk+6QiMSUOgYoG34KwO7B9iO2OzWSOH/2Y3uD
+FVWNTijr3AC0HmDJevS6B3S9VDsXSb4n6dE+aB+a7ABWYC2HaZItX6Fy+XULrpET
+89fs5oQfjtiOlqLbj51O6uyHxF8K2uv/LTjPb/i7CDpoX+AHJalSNfEoi/vfbEoD
+wi2HneXF8xbBAJyghnMkSQiETkq7UY6LT17hOx/Utz869z/C0dcqzScq25nsabHB
+WnL2vzspSesve11ZkrQda/jYX0waY3DiL4lDPwIDAQABAoIBMDXK51FaBzlmltNl
+FW4Jw6GUQJFeWQRJPuMiKZhe0+sT8l5CCxBvO9+9FcYaIIRpjHcUHleYRkmCQ2St
+rwOOrSfdjIApV4d583ulEvABmBasHLq6CBymZZB4fg+LWuzh5YEnE6B6npmrIY4f
+HAk6rEst0OdUS9yYFQ/GXcYnnHXVaHVOPbO6SZ8kE43sgjJ9leK/mvRwJ93cD6Hb
+hheLFU9ZTVQpdCmgP5qa7HHI2u6U45kp7BGSVL+dTkfAvM6G9Fhv956NPufleRWd
+HveKY3QVK5JZmjKewHZzHAh83TuhunuUiFdgt5W+Jrman7ffj3oP4KqaW8qD1t2k
+VpDYIgJMl10nEliR58Z/2iyXdysDdSnVl8VwBYRJls94Y4GgS2FoebPdWDxK+Qcf
+ONGosEkCgZkAwK5mdixraTEpqeSBsbRboEOkA8iNdZs6hjbdsobvi1CFFAD8B+7Z
+jdgmi7Uby0nw0Ynf9qOfZyQJTERLQia6XGNIqrCK67r+0wKQOm2nyEDzWnjQvQlX
+WvAE04dIIdvVu6ZcAwkm0OD6jExD0vuZ/gN2g2FWHsSOJDRHvJnA5SToAT7TI3bY
+1psFdyLnw191ALt1irwuK10CgZkA1h9BXadt8dW26eiUC0HqfOlNqD3sFhdStYTW
+QJrWNvD8P9eB3n50Y56scWC1OqsiJ9HeoZRolUnhRrlLU4i6JuOeYZzpXxCYDS6I
+UcNcCfmgvXiAlaMir4+4lcBSzlxRzcMam/fTONnFHNzkf3OQUzmmeiA7Z9W2nkkc
+5r8JRGy6sMFjEwELURTq6wAoSaGhOmxOVsXy20sCgZhDw9JjU2H/X/wANU5rujvT
+VJa1ge5GY26kz10PMafDvnDfRS1eeOFoopGD5xE8YOfiOfRboNYqByGCAi7ZuBco
+8P4Ykfh5yY1flvI0qmYs5rLvqbf4E/X2FJ4N6vEyf0dfNLX9l1Vgdw+HEjd0V2qk
+TIF82VnZflVjZEOqkASoUl+KOJc3TNAcQe8dJFiQfN0Age1n+qDePQKBmDY2aaVd
+q8+MDajBcyI6iTUhGMFdFDYvp4g/3sMysMPuVd+QH9iGac+DMCPwmVIGXDp6v4Rn
+f+c0cm4mofS/bGpGPSZ3xPqFyAmmW2tgLCB2bIUsSloYmMKcf96ieBS5eRjAqi8N
+GxSMxoRdRRkj2EnKEeVf3cqXaIpA9qlRevYxFT+FZyE7pXLc+fGP86NY4epZ26fK
+rIdrAoGYEzz8j0mWtvZz5M5kp7g0JnM6O7kb0xUXIoasERACCl5aA+011eGlrN9Y
+BjNMLTtosQSveHDEy85VaiVNpEaGYSBBPke8f344y2TVSUFI07bshXOzHW6r7fNu
+13VB/a8ca37iSst9GaM8j13PFo9RcMNB9qYgTGvfSjPwHZtkz8WlpuzFdeSc1Wcf
+/z8Df34g2rMCqS2nmK0=
+-----END RSA PRIVATE KEY-----
diff --git a/tests/run/certs/server.info b/tests/run/certs/server.info
new file mode 100644
index 0000000..1e02d79
--- /dev/null
+++ b/tests/run/certs/server.info
@@ -0,0 +1,5 @@
+organization = Name of your organization
+cn = 127.0.0.1
+tls_www_server
+encryption_key
+signing_key
diff --git a/tests/run/nbd-tester-client.c b/tests/run/nbd-tester-client.c
index f335618..0ec995c 100644
--- a/tests/run/nbd-tester-client.c
+++ b/tests/run/nbd-tester-client.c
@@ -42,6 +42,10 @@
#define MY_NAME "nbd-tester-client"
#include "cliserv.h"
+#ifdef WITH_GNUTLS
+#include "crypto-gnutls.h"
+#endif
+
static gchar errstr[1024];
const static int errstr_len = 1023;
@@ -50,6 +54,10 @@ static uint64_t size;
static int looseordering = 0;
static gchar *transactionlog = "nbd-tester-client.tr";
+static gchar *certfile = NULL;
+static gchar *keyfile = NULL;
+static gchar *cacertfile = NULL;
+static gchar *tlshostname = NULL;
typedef enum {
CONNECTION_TYPE_NONE,
@@ -341,6 +349,10 @@ static inline int write_all(int f, void *buf, size_t len)
return retval;
}
+static int tlserrout (void *opaque, const char *format, va_list ap) {
+ return vfprintf(stderr, format, ap);
+}
+
#define READ_ALL_ERRCHK(f, buf, len, whereto, errmsg...) if((read_all(f, buf, len))<=0) { snprintf(errstr, errstr_len, ##errmsg); goto whereto; }
#define READ_ALL_ERR_RT(f, buf, len, whereto, rval, errmsg...) if((read_all(f, buf, len))<=0) { snprintf(errstr, errstr_len, ##errmsg); retval = rval; goto whereto; }
@@ -395,9 +407,118 @@ int setup_connection_common(int sock, char *name, CONNECTION_TYPE ctype,
/* negotiation flags */
if (handshakeflags & NBD_FLAG_FIXED_NEWSTYLE)
negotiationflags |= NBD_FLAG_C_FIXED_NEWSTYLE;
+ else if (keyfile) {
+ snprintf(errstr, errstr_len, "Cannot negotiate TLS without NBD_FLAG_FIXED_NEWSTYLE");
+ goto err;
+ }
negotiationflags = htonl(negotiationflags);
WRITE_ALL_ERRCHK(sock, &negotiationflags, sizeof(negotiationflags), err,
"Could not write reserved field: %s", strerror(errno));
+#ifdef WITH_GNUTLS
+ /* TLS */
+ if (keyfile) {
+ int plainfd[2]; // [0] is used by the proxy, [1] is used by NBD
+ tlssession_t *s = NULL;
+ int ret;
+
+ /* magic */
+ tmp64 = htonll(opts_magic);
+ WRITE_ALL_ERRCHK(sock, &tmp64, sizeof(tmp64), err,
+ "Could not write magic: %s", strerror(errno));
+ /* starttls */
+ tmp32 = htonl(NBD_OPT_STARTTLS);
+ WRITE_ALL_ERRCHK(sock, &tmp32, sizeof(tmp32), err,
+ "Could not write option: %s", strerror(errno));
+ /* length of data */
+ tmp32 = htonl(0);
+ WRITE_ALL_ERRCHK(sock, &tmp32, sizeof(tmp32), err,
+ "Could not write option length: %s", strerror(errno));
+
+ READ_ALL_ERRCHK(sock, &tmp64, sizeof(tmp64), err,
+ "Could not read cliserv_magic: %s", strerror(errno));
+ tmp64 = ntohll(tmp64);
+ if (tmp64 != NBD_OPT_REPLY_MAGIC) {
+ strncpy(errstr, "reply magic does not match", errstr_len);
+ goto err;
+ }
+ READ_ALL_ERRCHK(sock, &tmp32, sizeof(tmp32), err,
+ "Could not read option type: %s", strerror(errno));
+ tmp32 = ntohl(tmp32);
+ if (tmp32 != NBD_OPT_STARTTLS) {
+ strncpy(errstr, "Reply to wrong option", errstr_len);
+ goto err;
+ }
+ READ_ALL_ERRCHK(sock, &tmp32, sizeof(tmp32), err,
+ "Could not read option reply type: %s", strerror(errno));
+ tmp32 = ntohl(tmp32);
+ if (tmp32 != NBD_REP_ACK) {
+ strncpy(errstr, "Option reply type != NBD_REP_ACK", errstr_len);
+ goto err;
+ }
+ READ_ALL_ERRCHK(sock, &tmp32, sizeof(tmp32), err,
+ "Could not read option data length: %s", strerror(errno));
+ tmp32 = ntohl(tmp32);
+ if (tmp32 != 0) {
+ strncpy(errstr, "Option reply data length != 0", errstr_len);
+ goto err;
+ }
+
+ s = tlssession_new(FALSE,
+ keyfile,
+ certfile,
+ cacertfile,
+ tlshostname,
+ !cacertfile || !tlshostname, // insecure flag
+#ifdef DODBG
+ 1, // debug
+#else
+ 0, // debug
+#endif
+ NULL, // quitfn
+ tlserrout, // erroutfn
+ NULL // opaque
+ );
+ if (!s) {
+ strncpy(errstr, "Cannot establish TLS session", errstr_len);
+ goto err;
+ }
+
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, plainfd) < 0) {
+ strncpy(errstr, "Cannot get socket pair", errstr_len);
+ goto err;
+ }
+
+ if (set_nonblocking(plainfd[0], 0) <0 ||
+ set_nonblocking(plainfd[1], 0) <0 ||
+ set_nonblocking(sock, 0) <0) {
+ close(plainfd[0]);
+ close(plainfd[1]);
+ strncpy(errstr, "Cannot set socket options", errstr_len);
+ goto err;
+ }
+
+ ret = fork();
+ if (ret < 0)
+ err("Could not fork");
+ else if (ret == 0) {
+ // we are the child
+ signal (SIGPIPE, SIG_IGN);
+ close(plainfd[1]);
+ tlssession_mainloop(sock, plainfd[0], s);
+ close(sock);
+ close(plainfd[0]);
+ exit(0);
+ }
+ close(plainfd[0]);
+ close(sock);
+ sock = plainfd[1]; /* use the decrypted FD from now on */
+ }
+#else
+ if (keyfile) {
+ strncpy(errstr, "TLS requested but support not compiled in", errstr_len);
+ goto err;
+ }
+#endif
/* magic */
tmp64 = htonll(opts_magic);
WRITE_ALL_ERRCHK(sock, &tmp64, sizeof(tmp64), err,
@@ -1495,6 +1616,10 @@ int main(int argc, char **argv)
int testflags = 0;
testfunc test = throughput_test;
+#ifdef WITH_GNUTLS
+ tlssession_init();
+#endif
+
/* Ignore SIGPIPE as we want to pick up the error from write() */
signal(SIGPIPE, SIG_IGN);
@@ -1511,7 +1636,7 @@ int main(int argc, char **argv)
exit(EXIT_FAILURE);
}
logging(MY_NAME);
- while ((c = getopt(argc, argv, "-FN:t:owfilu:")) >= 0) {
+ while ((c = getopt(argc, argv, "-FN:t:owfilu:C:K:A:H:")) >= 0) {
switch (c) {
case 1:
handle_nonopt(optarg, &hostname, &p);
@@ -1546,6 +1671,28 @@ int main(int argc, char **argv)
case 'u':
unixsock = g_strdup(optarg);
break;
+#ifdef WITH_GNUTLS
+ case 'C':
+ certfile=g_strdup(optarg);
+ break;
+ case 'K':
+ keyfile=g_strdup(optarg);
+ break;
+ case 'A':
+ cacertfile=g_strdup(optarg);
+ break;
+ case 'H':
+ tlshostname=g_strdup(optarg);
+ break;
+#else
+ case 'C':
+ case 'K':
+ case 'H':
+ case 'A':
+ g_warning("TLS support not compiled in");
+ /* Do not change this - looked for by test suite */
+ exit(77);
+#endif
}
}
@@ -1553,6 +1700,12 @@ int main(int argc, char **argv)
handle_nonopt(argv[optind++], &hostname, &p);
}
+ if (keyfile && !certfile)
+ certfile = g_strdup(keyfile);
+
+ if (!tlshostname && hostname)
+ tlshostname = g_strdup(hostname);
+
if (test(hostname, unixsock, (int)p, name, sock, FALSE, TRUE, testflags)
< 0) {
g_warning("Could not run test: %s", errstr);
diff --git a/tests/run/simple_test b/tests/run/simple_test
index 0c05ea1..5da9984 100755
--- a/tests/run/simple_test
+++ b/tests/run/simple_test
@@ -284,6 +284,51 @@ EOF
./nbd-tester-client -N export1 -u ${tmpdir}/unix.sock
retval=$?
;;
+ */tls)
+ # TLS test
+ certdir=$(pwd)/certs
+ cat >${conffile} <<EOF
+[generic]
+ certfile = $certdir/server-cert.pem
+ keyfile = $certdir/server-key.pem
+ cacertfile = $certdir/ca-cert.pem
+[export1]
+ exportname = $tmpnam
+ flush = true
+ fua = true
+ rotational = true
+ filesize = 52428800
+ temporary = true
+EOF
+ ../../nbd-server -C ${conffile} -p ${pidfile} &
+ PID=$!
+ sleep 1
+ ./nbd-tester-client -N export1 -i -t "${mydir}/integrity-test.tr" -C "${certdir}/client-cert.pem" -K "${certdir}/client-key.pem" -A "${certdir}/ca-cert.pem" -H 127.0.0.1 localhost
+ retval=$?
+ ;;
+ */tlshuge)
+ # TLS test with big operations
+ # takes a while
+ certdir=$(pwd)/certs
+ cat >${conffile} <<EOF
+[generic]
+ certfile = $certdir/server-cert.pem
+ keyfile = $certdir/server-key.pem
+ cacertfile = $certdir/ca-cert.pem
+[export1]
+ exportname = $tmpnam
+ flush = true
+ fua = true
+ rotational = true
+ filesize = 52428800
+ temporary = true
+EOF
+ ../../nbd-server -C ${conffile} -p ${pidfile} &
+ PID=$!
+ sleep 1
+ ./nbd-tester-client -N export1 -i -t "${mydir}/integrityhuge-test.tr" -C "${certdir}/client-cert.pem" -K "${certdir}/client-key.pem" -A "${certdir}/ca-cert.pem" -H 127.0.0.1 localhost
+ retval=$?
+ ;;
*)
echo "E: unknown test $1"
exit 1
--
1.9.1
Reply to: