From 771d9ffc13d8a272d7d1e91b56565388c749c510 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 27 Aug 2024 19:33:03 +0100 Subject: [PATCH] Fix CVE-2024-7383 NBD server improper certificate validation resolves: RHEL-52728 --- ...-sparse-file.sh-Skip-test-unless-nbd.patch | 4 +- ...nerator-Refactor-CONNECT.START-state.patch | 4 +- ...a-better-error-message-if-connect-2-.patch | 4 +- ...t_go-Tolerate-unplanned-server-death.patch | 4 +- ...ocument-assignment-of-CVE-2021-20286.patch | 4 +- ...my-variable-rather-than-errno-to-cal.patch | 6 +- ...85-Fail-nbdcopy-if-NBD-read-or-write.patch | 14 +- ...-build-Move-to-minimum-gnutls-3.5.18.patch | 94 +++ ...actor-out-some-common-Makefile-flags.patch | 727 ++++++++++++++++++ ...i.c-Ensure-Unix-domain-socket-is-cle.patch | 149 ++++ ...rtificates-DIR-query-parameter-in-UR.patch | 194 +++++ ...h-Use-Subject-Alternative-Name-for-s.patch | 33 + ...ck-server-certificate-even-when-usin.patch | 57 ++ ...ow-CA-verification-even-if-h-hostnam.patch | 76 ++ ...tls-verify-peer-to-be-overridden-in-.patch | 90 +++ ...d-link-to-TLS-server-certificate-che.patch | 32 + ...bd-security.pod-Assign-CVE-2024-7383.patch | 34 + copy-patches.sh | 2 +- libnbd.spec | 18 +- 19 files changed, 1523 insertions(+), 23 deletions(-) create mode 100644 0008-build-Move-to-minimum-gnutls-3.5.18.patch create mode 100644 0009-tests-Factor-out-some-common-Makefile-flags.patch create mode 100644 0010-tests-connect-uri.c-Ensure-Unix-domain-socket-is-cle.patch create mode 100644 0011-lib-Allow-tls-certificates-DIR-query-parameter-in-UR.patch create mode 100644 0012-tests-make-pki.sh-Use-Subject-Alternative-Name-for-s.patch create mode 100644 0013-lib-crypto.c-Check-server-certificate-even-when-usin.patch create mode 100644 0014-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch create mode 100644 0015-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch create mode 100644 0016-docs-security-Add-link-to-TLS-server-certificate-che.patch create mode 100644 0017-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch diff --git a/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch b/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch index 173aae4..bf90cec 100644 --- a/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch +++ b/0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch @@ -14,7 +14,7 @@ Fixes: commit 28fe8d9d8d1ecb491070d20f22e2f34bb147f19f 1 file changed, 1 insertion(+) diff --git a/copy/copy-nbd-to-sparse-file.sh b/copy/copy-nbd-to-sparse-file.sh -index aa2cb1b..47ff09a 100755 +index aa2cb1b9..47ff09ae 100755 --- a/copy/copy-nbd-to-sparse-file.sh +++ b/copy/copy-nbd-to-sparse-file.sh @@ -24,6 +24,7 @@ set -x @@ -26,5 +26,5 @@ index aa2cb1b..47ff09a 100755 requires test -r /dev/zero -- -2.31.1 +2.43.0 diff --git a/0002-generator-Refactor-CONNECT.START-state.patch b/0002-generator-Refactor-CONNECT.START-state.patch index ca013dc..51ac1dc 100644 --- a/0002-generator-Refactor-CONNECT.START-state.patch +++ b/0002-generator-Refactor-CONNECT.START-state.patch @@ -12,7 +12,7 @@ commit easier. 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/generator/states-connect.c b/generator/states-connect.c -index 392879d..03b34c7 100644 +index 392879d4..03b34c7d 100644 --- a/generator/states-connect.c +++ b/generator/states-connect.c @@ -47,11 +47,12 @@ disable_nagle (int sock) @@ -53,5 +53,5 @@ index 392879d..03b34c7 100644 CONNECT.CONNECTING: -- -2.31.1 +2.43.0 diff --git a/0003-generator-Print-a-better-error-message-if-connect-2-.patch b/0003-generator-Print-a-better-error-message-if-connect-2-.patch index 6ac2a69..ef4ec0c 100644 --- a/0003-generator-Print-a-better-error-message-if-connect-2-.patch +++ b/0003-generator-Print-a-better-error-message-if-connect-2-.patch @@ -17,7 +17,7 @@ Reviewed-by: Martin Kletzander 1 file changed, 16 insertions(+) diff --git a/generator/states-connect.c b/generator/states-connect.c -index 03b34c7..98c26e5 100644 +index 03b34c7d..98c26e54 100644 --- a/generator/states-connect.c +++ b/generator/states-connect.c @@ -70,6 +70,22 @@ STATE_MACHINE { @@ -44,5 +44,5 @@ index 03b34c7..98c26e5 100644 set_error (errno, "connect"); return 0; -- -2.31.1 +2.43.0 diff --git a/0004-opt_go-Tolerate-unplanned-server-death.patch b/0004-opt_go-Tolerate-unplanned-server-death.patch index 9080ea6..46a5a4e 100644 --- a/0004-opt_go-Tolerate-unplanned-server-death.patch +++ b/0004-opt_go-Tolerate-unplanned-server-death.patch @@ -24,7 +24,7 @@ Fixes: bbf1c51392 (api: Give aio_opt_go a completion callback) 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/opt.c b/lib/opt.c -index 2317b72..e5802f4 100644 +index 2317b72a..e5802f4d 100644 --- a/lib/opt.c +++ b/lib/opt.c @@ -1,5 +1,5 @@ @@ -55,5 +55,5 @@ index 2317b72..e5802f4 100644 return -1; } -- -2.31.1 +2.43.0 diff --git a/0005-security-Document-assignment-of-CVE-2021-20286.patch b/0005-security-Document-assignment-of-CVE-2021-20286.patch index 8732515..d9960a0 100644 --- a/0005-security-Document-assignment-of-CVE-2021-20286.patch +++ b/0005-security-Document-assignment-of-CVE-2021-20286.patch @@ -13,7 +13,7 @@ Fixes: fb4440de9cc7 (opt_go: Tolerate unplanned server death) 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod -index d8ead87..0cae846 100644 +index d8ead875..0cae8462 100644 --- a/docs/libnbd-security.pod +++ b/docs/libnbd-security.pod @@ -22,6 +22,12 @@ L @@ -36,5 +36,5 @@ index d8ead87..0cae846 100644 -Copyright (C) 2019 Red Hat Inc. +Copyright (C) 2019-2021 Red Hat Inc. -- -2.31.1 +2.43.0 diff --git a/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch b/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch index 896876f..61454d9 100644 --- a/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch +++ b/0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch @@ -47,7 +47,7 @@ Conflicts: 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/copy/file-ops.c b/copy/file-ops.c -index 086348a..cc312b4 100644 +index 086348a2..cc312b48 100644 --- a/copy/file-ops.c +++ b/copy/file-ops.c @@ -1,5 +1,5 @@ @@ -114,7 +114,7 @@ index 086348a..cc312b4 100644 exit (EXIT_FAILURE); } diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c -index a7aaa7d..2593ff7 100644 +index a7aaa7de..2593ff76 100644 --- a/copy/multi-thread-copying.c +++ b/copy/multi-thread-copying.c @@ -1,5 +1,5 @@ @@ -159,5 +159,5 @@ index a7aaa7d..2593ff7 100644 static int -- -2.31.1 +2.43.0 diff --git a/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch b/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch index b191e8b..93d414a 100644 --- a/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch +++ b/0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch @@ -78,7 +78,7 @@ a potential leak of nbdcopy heap contents into the destination. create mode 100755 copy/copy-nbd-error.sh diff --git a/TODO b/TODO -index 510c219..19c21d4 100644 +index 510c219a..19c21d44 100644 --- a/TODO +++ b/TODO @@ -35,6 +35,7 @@ nbdcopy: @@ -90,7 +90,7 @@ index 510c219..19c21d4 100644 nbdfuse: - If you write beyond the end of the virtual file, it returns EIO. diff --git a/copy/Makefile.am b/copy/Makefile.am -index d318388..3406cd8 100644 +index d318388f..3406cd85 100644 --- a/copy/Makefile.am +++ b/copy/Makefile.am @@ -1,5 +1,5 @@ @@ -118,7 +118,7 @@ index d318388..3406cd8 100644 copy-sparse-allocated.sh \ diff --git a/copy/copy-nbd-error.sh b/copy/copy-nbd-error.sh new file mode 100755 -index 0000000..bba71db +index 00000000..bba71db5 --- /dev/null +++ b/copy/copy-nbd-error.sh @@ -0,0 +1,81 @@ @@ -204,7 +204,7 @@ index 0000000..bba71db + +exit $fail diff --git a/copy/file-ops.c b/copy/file-ops.c -index cc312b4..b19af04 100644 +index cc312b48..b19af04c 100644 --- a/copy/file-ops.c +++ b/copy/file-ops.c @@ -162,10 +162,8 @@ file_asynch_read (struct rw *rw, @@ -246,7 +246,7 @@ index cc312b4..b19af04 100644 } diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c -index 2593ff7..28749ae 100644 +index 2593ff76..28749ae7 100644 --- a/copy/multi-thread-copying.c +++ b/copy/multi-thread-copying.c @@ -28,6 +28,7 @@ @@ -284,7 +284,7 @@ index 2593ff7..28749ae 100644 if (--buffer->refs == 0) { free (buffer->data); diff --git a/copy/nbdcopy.h b/copy/nbdcopy.h -index 3dcc6df..9626a52 100644 +index 3dcc6dfe..9626a52c 100644 --- a/copy/nbdcopy.h +++ b/copy/nbdcopy.h @@ -1,5 +1,5 @@ @@ -314,5 +314,5 @@ index 3dcc6df..9626a52 100644 bool (*asynch_zero) (struct rw *rw, struct command *command, nbd_completion_callback cb); -- -2.31.1 +2.43.0 diff --git a/0008-build-Move-to-minimum-gnutls-3.5.18.patch b/0008-build-Move-to-minimum-gnutls-3.5.18.patch new file mode 100644 index 0000000..cb95661 --- /dev/null +++ b/0008-build-Move-to-minimum-gnutls-3.5.18.patch @@ -0,0 +1,94 @@ +From cd4f3bed33d5ffdba6846d270c0e11713bc1caf6 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 25 Jun 2024 10:55:54 +0100 +Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This version matches current qemu. + +RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which +means TLS will be disabled on this platform. RHEL 8 has gnutls 3.6.14. + +I also unconditionally enabled the gnutls/socket.h header. This +header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7. + +On RHEL 7 the configure-time test now prints: + + checking for GNUTLS... no + configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled. + ... + Optional library features: + TLS support ............................ no + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e) +(cherry picked from commit cb6df4f81a97d5d58385d89b0135039f1eddee15) +--- + configure.ac | 12 +++--------- + lib/crypto.c | 5 +---- + 2 files changed, 4 insertions(+), 13 deletions(-) + +diff --git a/configure.ac b/configure.ac +index da3dc38a..29e3b47a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -94,12 +94,13 @@ AC_ARG_WITH([gnutls], + [], + [with_gnutls=check]) + AS_IF([test "$with_gnutls" != "no"],[ +- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [ ++ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [ ++ printf "gnutls version is "; $PKG_CONFIG --modversion gnutls + AC_SUBST([GNUTLS_CFLAGS]) + AC_SUBST([GNUTLS_LIBS]) + AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.]) + ], [ +- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.]) ++ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.]) + ]) + ]) + AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"]) +@@ -114,13 +115,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[ + AC_MSG_RESULT([$tls_priority]) + AC_DEFINE_UNQUOTED([TLS_PRIORITY],["$tls_priority"], + [Default TLS session priority string]) +- +- # Check for APIs which may not be present. +- old_LIBS="$LIBS" +- LIBS="$GNUTLS_LIBS $LIBS" +- AC_CHECK_FUNCS([\ +- gnutls_session_set_verify_cert]) +- LIBS="$old_LIBS" + ]) + + dnl certtool (part of GnuTLS) for testing TLS with certificates. +diff --git a/lib/crypto.c b/lib/crypto.c +index a9b3789c..705e114a 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -28,6 +28,7 @@ + + #ifdef HAVE_GNUTLS + #include ++#include + #endif + + #include "internal.h" +@@ -512,12 +513,8 @@ set_up_certificate_credentials (struct nbd_handle *h, + return NULL; + + found_certificates: +-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT + if (h->hostname && h->tls_verify_peer) + gnutls_session_set_verify_cert (session, h->hostname, 0); +-#else +- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6"); +-#endif + + err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret); + if (err < 0) { +-- +2.43.0 + diff --git a/0009-tests-Factor-out-some-common-Makefile-flags.patch b/0009-tests-Factor-out-some-common-Makefile-flags.patch new file mode 100644 index 0000000..baf36e4 --- /dev/null +++ b/0009-tests-Factor-out-some-common-Makefile-flags.patch @@ -0,0 +1,727 @@ +From a852cec30a6540b5c1ea2947195454eef6269944 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Fri, 27 Aug 2021 15:12:12 +0100 +Subject: [PATCH] tests: Factor out some common Makefile flags + +We can use AM_CPPFLAGS, AM_CFLAGS etc to factor out some common flags +in the tests. Note the rules here are complicated, see: + +https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html + +and for unclear reasons there is no AM_LDADD nor any workaround: + +https://stackoverflow.com/questions/29252969/automake-am-ldadd-workaround + +This commit is mostly pure refactoring but it also tries to make the +flags usage more consistent across tests so it may have side-effects +like enabling more warnings. + +(cherry picked from commit 5fd648f821e9ab3ee08bf360348d1fb01537a267) +(cherry picked from commit 6cb1f74b09beca1ddaef794136f221bfb7bb4faa) +--- + interop/Makefile.am | 57 ++++++------- + tests/Makefile.am | 190 ++++++++++++++++++-------------------------- + 2 files changed, 104 insertions(+), 143 deletions(-) + +diff --git a/interop/Makefile.am b/interop/Makefile.am +index 9787c26e..9432ad43 100644 +--- a/interop/Makefile.am ++++ b/interop/Makefile.am +@@ -28,6 +28,16 @@ LOG_COMPILER = $(top_builddir)/run + check_PROGRAMS = + TESTS = + ++# Common flags. ++# Note there is no such thing as "AM_LDADD". ++AM_CPPFLAGS = \ ++ -I$(top_srcdir)/include \ ++ -I$(top_srcdir)/tests \ ++ $(NULL) ++AM_CFLAGS = \ ++ $(WARNINGS_CFLAGS) \ ++ $(NULL) ++ + if HAVE_NBD_SERVER + + check_PROGRAMS += \ +@@ -41,22 +51,20 @@ TESTS += \ + + interop_nbd_server_SOURCES = interop.c + interop_nbd_server_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBD_SERVER)\" \ + -DSERVER_PARAMS='"-d", "-C", "/dev/null", "0", tmpfile' \ + -DEXPORT_NAME='""' +-interop_nbd_server_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbd_server_LDADD = $(top_builddir)/lib/libnbd.la + + list_exports_nbd_server_SOURCES = list-exports.c + list_exports_nbd_server_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBD_SERVER)\" \ + -DSERVER_PARAMS='"-C", "$(srcdir)/list-exports-nbd-config", "-d", "0"' \ + -DEXPORTS='"disk1", "disk2"' \ + -DDESCRIPTIONS='"", ""' \ + $(NULL) +-list_exports_nbd_server_CFLAGS = $(WARNINGS_CFLAGS) + list_exports_nbd_server_LDADD = $(top_builddir)/lib/libnbd.la + + endif HAVE_NBD_SERVER +@@ -104,19 +112,18 @@ endif + + interop_qemu_nbd_SOURCES = interop.c + interop_qemu_nbd_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSOCKET_ACTIVATION=1 \ + -DSERVER=\"$(QEMU_NBD)\" \ + -DSERVER_PARAMS='"-f", "raw", "-x", "/", tmpfile' \ + -DEXPORT_NAME='"/"' \ + $(NULL) +-interop_qemu_nbd_CFLAGS = $(WARNINGS_CFLAGS) + interop_qemu_nbd_LDADD = $(top_builddir)/lib/libnbd.la + + # qemu-nbd requires absolute path to dir + interop_qemu_nbd_tls_certs_SOURCES = interop.c + interop_qemu_nbd_tls_certs_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSOCKET_ACTIVATION=1 \ + -DSERVER=\"$(QEMU_NBD)\" \ + -DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", tmpfile' \ +@@ -124,13 +131,12 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \ + -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) +-interop_qemu_nbd_tls_certs_CFLAGS = $(WARNINGS_CFLAGS) + interop_qemu_nbd_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la + + # qemu-nbd requires absolute path to dir + interop_qemu_nbd_tls_psk_SOURCES = interop.c + interop_qemu_nbd_tls_psk_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSOCKET_ACTIVATION=1 \ + -DSERVER=\"$(QEMU_NBD)\" \ + -DSERVER_PARAMS='"--object", "tls-creds-psk,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests", "--tls-creds", "tls0", "-f", "raw", "-x", "/", tmpfile' \ +@@ -138,7 +144,6 @@ interop_qemu_nbd_tls_psk_CPPFLAGS = \ + -DPSK=1 \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) +-interop_qemu_nbd_tls_psk_CFLAGS = $(WARNINGS_CFLAGS) + interop_qemu_nbd_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la + + dirty_bitmap_SOURCES = dirty-bitmap.c +@@ -148,28 +153,24 @@ dirty_bitmap_LDADD = $(top_builddir)/lib/libnbd.la + + list_exports_qemu_nbd_SOURCES = list-exports.c + list_exports_qemu_nbd_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSOCKET_ACTIVATION=1 \ + -DSERVER=\"$(QEMU_NBD)\" \ + -DSERVER_PARAMS='"-f", "raw", "-x", "testing", "-D", "data", tmpfile' \ + -DEXPORTS='"testing"' \ + -DDESCRIPTIONS='"data"' \ + $(NULL) +-list_exports_qemu_nbd_CFLAGS = $(WARNINGS_CFLAGS) + list_exports_qemu_nbd_LDADD = $(top_builddir)/lib/libnbd.la + + socket_activation_qemu_nbd_SOURCES = socket-activation.c + socket_activation_qemu_nbd_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(QEMU_NBD)\" \ + -DSERVER_PARAMS='"-f", "raw", "-x", "", tmpfile' \ + $(NULL) +-socket_activation_qemu_nbd_CFLAGS = $(WARNINGS_CFLAGS) + socket_activation_qemu_nbd_LDADD = $(top_builddir)/lib/libnbd.la + + structured_read_SOURCES = structured-read.c +-structured_read_CPPFLAGS = -I$(top_srcdir)/include +-structured_read_CFLAGS = $(WARNINGS_CFLAGS) + structured_read_LDADD = $(top_builddir)/lib/libnbd.la + + endif HAVE_QEMU_NBD +@@ -215,88 +216,80 @@ endif + + interop_nbdkit_SOURCES = interop.c + interop_nbdkit_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"-s", "--exit-with-parent", "file", tmpfile' \ + $(NULL) +-interop_nbdkit_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbdkit_LDADD = $(top_builddir)/lib/libnbd.la + + interop_nbdkit_tls_certs_SOURCES = interop.c + interop_nbdkit_tls_certs_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", tmpfile' \ + -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) +-interop_nbdkit_tls_certs_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbdkit_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la + + interop_nbdkit_tls_certs_allow_enabled_SOURCES = interop.c + interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", tmpfile' \ + -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + $(NULL) +-interop_nbdkit_tls_certs_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbdkit_tls_certs_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la + + interop_nbdkit_tls_certs_allow_fallback_SOURCES = interop.c + interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \ + -DCERTS=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + -DTLS_FALLBACK=1 \ + $(NULL) +-interop_nbdkit_tls_certs_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbdkit_tls_certs_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la + + interop_nbdkit_tls_psk_SOURCES = interop.c + interop_nbdkit_tls_psk_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", tmpfile' \ + -DPSK=1 \ + -DTLS_MODE=LIBNBD_TLS_REQUIRE \ + $(NULL) +-interop_nbdkit_tls_psk_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbdkit_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la + + interop_nbdkit_tls_psk_allow_enabled_SOURCES = interop.c + interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", tmpfile' \ + -DPSK=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + $(NULL) +-interop_nbdkit_tls_psk_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbdkit_tls_psk_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la + + interop_nbdkit_tls_psk_allow_fallback_SOURCES = interop.c + interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \ + -DPSK=1 \ + -DTLS_MODE=LIBNBD_TLS_ALLOW \ + -DTLS_FALLBACK=1 \ + $(NULL) +-interop_nbdkit_tls_psk_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS) + interop_nbdkit_tls_psk_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la + + socket_activation_nbdkit_SOURCES = socket-activation.c + socket_activation_nbdkit_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER=\"$(NBDKIT)\" \ + -DSERVER_PARAMS='"file", tmpfile' \ + $(NULL) +-socket_activation_nbdkit_CFLAGS = $(WARNINGS_CFLAGS) + socket_activation_nbdkit_LDADD = $(top_builddir)/lib/libnbd.la + + endif HAVE_NBDKIT +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 64320cad..436e1c10 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -52,6 +52,18 @@ TESTS_ENVIRONMENT = srcdir=$(srcdir) LIBNBD_DEBUG=1 + # Use the ./run script so we're always using the local library and tools. + LOG_COMPILER = $(top_builddir)/run + ++# Common flags. ++# Note there is no such thing as "AM_LDADD". ++AM_CPPFLAGS = \ ++ -I$(top_srcdir)/include \ ++ $(NULL) ++AM_CFLAGS = \ ++ $(WARNINGS_CFLAGS) \ ++ $(NULL) ++AM_CXXFLAGS = \ ++ $(WARNINGS_CFLAGS) \ ++ $(NULL) ++ + #---------------------------------------------------------------------- + # The following tests do not need an NBD server. + +@@ -81,45 +93,30 @@ TESTS += \ + .PHONY: compile + + compile_header_only_SOURCES = compile-header-only.c +-compile_header_only_CPPFLAGS = -I$(top_srcdir)/include +-compile_header_only_CFLAGS = $(WARNINGS_CFLAGS) + compile_header_only_LDADD = $(top_builddir)/lib/libnbd.la + + compile_c_SOURCES = compile.c +-compile_c_CPPFLAGS = -I$(top_srcdir)/include +-compile_c_CFLAGS = $(WARNINGS_CFLAGS) + compile_c_LDADD = $(top_builddir)/lib/libnbd.la + + compile_ansi_c_SOURCES = compile-ansi-c.c + compile_ansi_c_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -std=c90 -pedantic +-compile_ansi_c_CFLAGS = $(WARNINGS_CFLAGS) + compile_ansi_c_LDADD = $(top_builddir)/lib/libnbd.la + + close_null_SOURCES = close-null.c +-close_null_CPPFLAGS = -I$(top_srcdir)/include +-close_null_CFLAGS = $(WARNINGS_CFLAGS) + close_null_LDADD = $(top_builddir)/lib/libnbd.la + + debug_SOURCES = debug.c +-debug_CPPFLAGS = -I$(top_srcdir)/include +-debug_CFLAGS = $(WARNINGS_CFLAGS) + debug_LDADD = $(top_builddir)/lib/libnbd.la + + debug_environment_SOURCES = debug-environment.c +-debug_environment_CPPFLAGS = -I$(top_srcdir)/include +-debug_environment_CFLAGS = $(WARNINGS_CFLAGS) + debug_environment_LDADD = $(top_builddir)/lib/libnbd.la + + version_SOURCES = version.c +-version_CPPFLAGS = -I$(top_srcdir)/include +-version_CFLAGS = $(WARNINGS_CFLAGS) + version_LDADD = $(top_builddir)/lib/libnbd.la + + export_name_SOURCES = export-name.c +-export_name_CPPFLAGS = -I$(top_srcdir)/include +-export_name_CFLAGS = $(WARNINGS_CFLAGS) + export_name_LDADD = $(top_builddir)/lib/libnbd.la + + if HAVE_CXX +@@ -128,8 +125,6 @@ check_PROGRAMS += compile-cxx + TESTS += compile-cxx + + compile_cxx_SOURCES = compile-cxx.cpp +-compile_cxx_CPPFLAGS = -I$(top_srcdir)/include +-compile_cxx_CXXFLAGS = $(WARNINGS_CFLAGS) + compile_cxx_LDADD = $(top_builddir)/lib/libnbd.la + + endif HAVE_CXX +@@ -220,243 +215,208 @@ TESTS += \ + $(NULL) + + errors_SOURCES = errors.c +-errors_CPPFLAGS = -I$(top_srcdir)/include +-errors_CFLAGS = $(WARNINGS_CFLAGS) + errors_LDADD = $(top_builddir)/lib/libnbd.la + + server_death_SOURCES = server-death.c +-server_death_CPPFLAGS = -I$(top_srcdir)/include +-server_death_CFLAGS = $(WARNINGS_CFLAGS) + server_death_LDADD = $(top_builddir)/lib/libnbd.la + + shutdown_flags_SOURCES = shutdown-flags.c +-shutdown_flags_CPPFLAGS = -I$(top_srcdir)/include +-shutdown_flags_CFLAGS = $(WARNINGS_CFLAGS) + shutdown_flags_LDADD = $(top_builddir)/lib/libnbd.la + + get_size_SOURCES = get-size.c +-get_size_CPPFLAGS = -I$(top_srcdir)/include +-get_size_CFLAGS = $(WARNINGS_CFLAGS) + get_size_LDADD = $(top_builddir)/lib/libnbd.la + + read_only_flag_SOURCES = read-only-flag.c +-read_only_flag_CPPFLAGS = -I$(top_srcdir)/include +-read_only_flag_CFLAGS = $(WARNINGS_CFLAGS) + read_only_flag_LDADD = $(top_builddir)/lib/libnbd.la + + read_write_flag_SOURCES = read-write-flag.c +-read_write_flag_CPPFLAGS = -I$(top_srcdir)/include +-read_write_flag_CFLAGS = $(WARNINGS_CFLAGS) + read_write_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_flush_flag_SOURCES = eflags.c + can_flush_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_flush \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_flush \ + $(NULL) +-can_flush_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_flush_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_flush_flag_SOURCES = eflags.c + can_not_flush_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_flush -Dvalue=false \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_flush -Dvalue=false \ + $(NULL) +-can_not_flush_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_flush_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_fua_flag_SOURCES = eflags.c + can_fua_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_fua -Dvalue=native \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_fua -Dvalue=native \ + $(NULL) +-can_fua_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_fua_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_fua_flag_SOURCES = eflags.c + can_not_fua_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_fua -Dvalue=none \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_fua -Dvalue=none \ + $(NULL) +-can_not_fua_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_fua_flag_LDADD = $(top_builddir)/lib/libnbd.la + + is_rotational_flag_SOURCES = eflags.c + is_rotational_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=is_rotational \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=is_rotational \ + $(NULL) +-is_rotational_flag_CFLAGS = $(WARNINGS_CFLAGS) + is_rotational_flag_LDADD = $(top_builddir)/lib/libnbd.la + + is_not_rotational_flag_SOURCES = eflags.c + is_not_rotational_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=is_rotational -Dvalue=false \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=is_rotational -Dvalue=false \ + $(NULL) +-is_not_rotational_flag_CFLAGS = $(WARNINGS_CFLAGS) + is_not_rotational_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_trim_flag_SOURCES = eflags.c + can_trim_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_trim \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_trim \ + $(NULL) +-can_trim_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_trim_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_trim_flag_SOURCES = eflags.c + can_not_trim_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_trim -Dvalue=false \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_trim -Dvalue=false \ + $(NULL) +-can_not_trim_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_trim_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_zero_flag_SOURCES = eflags.c + can_zero_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_zero \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_zero \ + $(NULL) +-can_zero_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_zero_flag_SOURCES = eflags.c + can_not_zero_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_zero -Dvalue=false \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_zero -Dvalue=false \ + -Dfilter='"--filter=nozero"' \ + $(NULL) +-can_not_zero_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_fast_zero_flag_SOURCES = eflags.c + can_fast_zero_flag_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/include -Dflag=can_fast_zero \ + -Drequire='"has_can_fast_zero=1"' \ + $(NULL) +-can_fast_zero_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_fast_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_fast_zero_flag_SOURCES = eflags.c + can_not_fast_zero_flag_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/include -Dflag=can_fast_zero -Dvalue=false \ + -Drequire='"has_can_fast_zero=1"' \ + $(NULL) +-can_not_fast_zero_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_fast_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_df_flag_SOURCES = eflags.c + can_df_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_df \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_df \ + $(NULL) +-can_df_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_df_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_df_flag_SOURCES = eflags.c + can_not_df_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_df -Dvalue=false -Dno_sr \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_df -Dvalue=false -Dno_sr \ + $(NULL) +-can_not_df_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_df_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_multi_conn_flag_SOURCES = eflags.c + can_multi_conn_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_multi_conn \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_multi_conn \ + $(NULL) +-can_multi_conn_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_multi_conn_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_multi_conn_flag_SOURCES = eflags.c + can_not_multi_conn_flag_CPPFLAGS = \ +- -I$(top_srcdir)/include -Dflag=can_multi_conn -Dvalue=false \ ++ $(AM_CPPFLAGS) \ ++ -Dflag=can_multi_conn -Dvalue=false \ + $(NULL) +-can_not_multi_conn_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_multi_conn_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_cache_flag_SOURCES = eflags.c + can_cache_flag_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/include -Dflag=can_cache -Dvalue=native \ + -Drequire='"has_can_cache=1"' \ + $(NULL) +-can_cache_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_cache_flag_LDADD = $(top_builddir)/lib/libnbd.la + + can_not_cache_flag_SOURCES = eflags.c + can_not_cache_flag_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/include -Dflag=can_cache -Dvalue=none \ + -Drequire='"has_can_cache=1"' \ + $(NULL) +-can_not_cache_flag_CFLAGS = $(WARNINGS_CFLAGS) + can_not_cache_flag_LDADD = $(top_builddir)/lib/libnbd.la + + oldstyle_SOURCES = oldstyle.c +-oldstyle_CPPFLAGS = -I$(top_srcdir)/include +-oldstyle_CFLAGS = $(WARNINGS_CFLAGS) + oldstyle_LDADD = $(top_builddir)/lib/libnbd.la + + newstyle_limited_SOURCES = newstyle-limited.c +-newstyle_limited_CPPFLAGS = -I$(top_srcdir)/include +-newstyle_limited_CFLAGS = $(WARNINGS_CFLAGS) + newstyle_limited_LDADD = $(top_builddir)/lib/libnbd.la + + opt_abort_SOURCES = opt-abort.c +-opt_abort_CPPFLAGS = -I$(top_srcdir)/include +-opt_abort_CFLAGS = $(WARNINGS_CFLAGS) + opt_abort_LDADD = $(top_builddir)/lib/libnbd.la + + opt_list_SOURCES = opt-list.c + opt_list_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSCRIPT='"$(abs_srcdir)/opt-list.sh"' \ + $(NULL) +-opt_list_CFLAGS = $(WARNINGS_CFLAGS) + opt_list_LDADD = $(top_builddir)/lib/libnbd.la + + opt_info_SOURCES = opt-info.c + opt_info_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSCRIPT='"$(abs_srcdir)/opt-info.sh"' \ + $(NULL) +-opt_info_CFLAGS = $(WARNINGS_CFLAGS) + opt_info_LDADD = $(top_builddir)/lib/libnbd.la + + opt_list_meta_SOURCES = opt-list-meta.c +-opt_list_meta_CPPFLAGS = \ +- -I$(top_srcdir)/include \ +- $(NULL) +-opt_list_meta_CFLAGS = $(WARNINGS_CFLAGS) + opt_list_meta_LDADD = $(top_builddir)/lib/libnbd.la + + connect_unix_SOURCES = connect-unix.c +-connect_unix_CPPFLAGS = -I$(top_srcdir)/include +-connect_unix_CFLAGS = $(WARNINGS_CFLAGS) + connect_unix_LDADD = $(top_builddir)/lib/libnbd.la + + connect_tcp_SOURCES = connect-tcp.c +-connect_tcp_CPPFLAGS = -I$(top_srcdir)/include +-connect_tcp_CFLAGS = $(WARNINGS_CFLAGS) + connect_tcp_LDADD = $(top_builddir)/lib/libnbd.la + + aio_parallel_SOURCES = aio-parallel.c + aio_parallel_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/common/include \ + $(NULL) +-aio_parallel_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS) + aio_parallel_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS) + + aio_parallel_load_SOURCES = aio-parallel-load.c +-aio_parallel_load_CPPFLAGS = -I$(top_srcdir)/include +-aio_parallel_load_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS) + aio_parallel_load_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS) + + synch_parallel_SOURCES = synch-parallel.c + synch_parallel_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/common/include \ + $(NULL) +-synch_parallel_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS) ++synch_parallel_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS) + synch_parallel_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS) + + meta_base_allocation_SOURCES = meta-base-allocation.c +-meta_base_allocation_CPPFLAGS = -I$(top_srcdir)/include +-meta_base_allocation_CFLAGS = $(WARNINGS_CFLAGS) + meta_base_allocation_LDADD = $(top_builddir)/lib/libnbd.la + + closure_lifetimes_SOURCES = closure-lifetimes.c +-closure_lifetimes_CPPFLAGS = -I$(top_srcdir)/include +-closure_lifetimes_CFLAGS = $(WARNINGS_CFLAGS) + closure_lifetimes_LDADD = $(top_builddir)/lib/libnbd.la + + #---------------------------------------------------------------------- +@@ -470,8 +430,10 @@ check_DATA += pki/stamp-pki + TESTS += connect-tls-certs + + connect_tls_certs_SOURCES = connect-tls.c +-connect_tls_certs_CPPFLAGS = -I$(top_srcdir)/include -DCERTS=1 +-connect_tls_certs_CFLAGS = $(WARNINGS_CFLAGS) ++connect_tls_certs_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ ++ -DCERTS=1 \ ++ $(NULL) + connect_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la + + pki/stamp-pki: $(srcdir)/make-pki.sh +@@ -499,31 +461,36 @@ TESTS += \ + check_DATA += keys.psk + + connect_tls_psk_SOURCES = connect-tls.c +-connect_tls_psk_CPPFLAGS = -I$(top_srcdir)/include -DPSK=1 +-connect_tls_psk_CFLAGS = $(WARNINGS_CFLAGS) ++connect_tls_psk_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ ++ -DPSK=1 \ ++ $(NULL) + connect_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la + + aio_parallel_tls_SOURCES = aio-parallel.c + aio_parallel_tls_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/common/include \ + -DTLS=1 \ + $(NULL) +-aio_parallel_tls_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS) ++aio_parallel_tls_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS) + aio_parallel_tls_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS) + + aio_parallel_load_tls_SOURCES = aio-parallel-load.c +-aio_parallel_load_tls_CPPFLAGS = -I$(top_srcdir)/include -DTLS=1 +-aio_parallel_load_tls_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS) ++aio_parallel_load_tls_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ ++ -DTLS=1 \ ++ $(NULL) ++aio_parallel_load_tls_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS) + aio_parallel_load_tls_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS) + + synch_parallel_tls_SOURCES = synch-parallel.c + synch_parallel_tls_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -I$(top_srcdir)/common/include \ + -DTLS=1 \ + $(NULL) +-synch_parallel_tls_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS) ++synch_parallel_tls_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS) + synch_parallel_tls_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS) + + keys.psk: +@@ -550,18 +517,19 @@ TESTS += \ + RANDOM1 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))") + connect_uri_nbd_SOURCES = connect-uri.c + connect_uri_nbd_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER_PARAMS='"-p", "$(RANDOM1)"' \ + -DPIDFILE='"connect-uri-nbd.pid"' \ +- -DURI='"nbd://localhost:$(RANDOM1)/"' +-connect_uri_nbd_CFLAGS = $(WARNINGS_CFLAGS) ++ -DURI='"nbd://localhost:$(RANDOM1)/"' \ ++ $(NULL) ++connect_uri_nbd_CFLAGS = $(AM_CFLAGS) + connect_uri_nbd_LDADD = $(top_builddir)/lib/libnbd.la + + CONNECT_URI_NBD_UNIX_SOCKET := \ + $(shell mktemp /tmp/connect-uri-nbd-unix-socket-XXXXXX) + connect_uri_nbd_unix_SOURCES = connect-uri.c + connect_uri_nbd_unix_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER_PARAMS='"-U", SOCKET' \ + -DSOCKET='"$(CONNECT_URI_NBD_UNIX_SOCKET)"' \ + -DPIDFILE='"connect-uri-nbd-unix.pid"' \ +@@ -584,18 +552,18 @@ TESTS += \ + RANDOM2 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))") + connect_uri_nbds_SOURCES = connect-uri.c + connect_uri_nbds_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-certificates=pki"' \ + -DPIDFILE='"connect-uri-nbds.pid"' \ +- -DURI='"nbds://localhost:$(RANDOM2)/"' +-connect_uri_nbds_CFLAGS = $(WARNINGS_CFLAGS) ++ -DURI='"nbds://localhost:$(RANDOM2)/"' \ ++ $(NULL) + connect_uri_nbds_LDADD = $(top_builddir)/lib/libnbd.la + + CONNECT_URI_NBDS_UNIX_SOCKET := \ + $(shell mktemp /tmp/connect-uri-nbds-unix-socket-XXXXXX) + connect_uri_nbds_unix_SOURCES = connect-uri.c + connect_uri_nbds_unix_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER_PARAMS='"-U", SOCKET, "--tls=require", "--tls-certificates=pki"' \ + -DSOCKET='"$(CONNECT_URI_NBDS_UNIX_SOCKET)"' \ + -DPIDFILE='"connect-uri-nbds-unix.pid"' \ +@@ -617,11 +585,11 @@ TESTS += \ + RANDOM3 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))") + connect_uri_nbds_psk_SOURCES = connect-uri.c + connect_uri_nbds_psk_CPPFLAGS = \ +- -I$(top_srcdir)/include \ ++ $(AM_CPPFLAGS) \ + -DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-psk=keys.psk"' \ + -DPIDFILE='"connect-uri-nbds-psk.pid"' \ +- -DURI='"nbds://alice@localhost:$(RANDOM3)/?tls-psk-file=keys.psk"' +-connect_uri_nbds_psk_CFLAGS = $(WARNINGS_CFLAGS) ++ -DURI='"nbds://alice@localhost:$(RANDOM3)/?tls-psk-file=keys.psk"' \ ++ $(NULL) + connect_uri_nbds_psk_LDADD = $(top_builddir)/lib/libnbd.la + + endif HAVE_PSKTOOL +-- +2.43.0 + diff --git a/0010-tests-connect-uri.c-Ensure-Unix-domain-socket-is-cle.patch b/0010-tests-connect-uri.c-Ensure-Unix-domain-socket-is-cle.patch new file mode 100644 index 0000000..5668a44 --- /dev/null +++ b/0010-tests-connect-uri.c-Ensure-Unix-domain-socket-is-cle.patch @@ -0,0 +1,149 @@ +From da628792ddf7a3d3cb8f8b770c7dbb9b9d67444b Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Sat, 24 Apr 2021 21:40:58 +0100 +Subject: [PATCH] tests/connect-uri.c: Ensure Unix domain socket is cleaned up + on exit + +Commit 70f83fed13 ("tests: Create test sockets in /tmp instead of +local directory.") aimed to create sockets with short path names in +/tmp. However it never cleaned them up. Worse still, every time the +Makefile was evaluated at all a temporary file was created. + +Fix this properly in the C file. + +Fixes: commit 70f83fed131c7e52b1a31a28d9acaf19f6c11d57 +(cherry picked from commit f5955c4c5bb0269e192b906a3ef98601aa63ad59) +(cherry picked from commit 502f0b59ec1dbd64c6c64279316e03540258a54c) +--- + tests/Makefile.am | 16 ++++++---------- + tests/connect-uri.c | 45 +++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 45 insertions(+), 16 deletions(-) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 436e1c10..ed5585a5 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -525,15 +525,13 @@ connect_uri_nbd_CPPFLAGS = \ + connect_uri_nbd_CFLAGS = $(AM_CFLAGS) + connect_uri_nbd_LDADD = $(top_builddir)/lib/libnbd.la + +-CONNECT_URI_NBD_UNIX_SOCKET := \ +- $(shell mktemp /tmp/connect-uri-nbd-unix-socket-XXXXXX) + connect_uri_nbd_unix_SOURCES = connect-uri.c + connect_uri_nbd_unix_CPPFLAGS = \ + $(AM_CPPFLAGS) \ +- -DSERVER_PARAMS='"-U", SOCKET' \ +- -DSOCKET='"$(CONNECT_URI_NBD_UNIX_SOCKET)"' \ ++ -DNEEDS_UNIX_SOCKET=1 \ ++ -DSERVER_PARAMS='"-U", UNIX_SOCKET' \ + -DPIDFILE='"connect-uri-nbd-unix.pid"' \ +- -DURI='"nbd+unix:///?socket=" SOCKET' ++ -DURI='"nbd+unix:///?socket="' # UNIX_SOCKET appended + connect_uri_nbd_unix_CFLAGS = $(WARNINGS_CFLAGS) + connect_uri_nbd_unix_LDADD = $(top_builddir)/lib/libnbd.la + +@@ -559,15 +557,13 @@ connect_uri_nbds_CPPFLAGS = \ + $(NULL) + connect_uri_nbds_LDADD = $(top_builddir)/lib/libnbd.la + +-CONNECT_URI_NBDS_UNIX_SOCKET := \ +- $(shell mktemp /tmp/connect-uri-nbds-unix-socket-XXXXXX) + connect_uri_nbds_unix_SOURCES = connect-uri.c + connect_uri_nbds_unix_CPPFLAGS = \ + $(AM_CPPFLAGS) \ +- -DSERVER_PARAMS='"-U", SOCKET, "--tls=require", "--tls-certificates=pki"' \ +- -DSOCKET='"$(CONNECT_URI_NBDS_UNIX_SOCKET)"' \ ++ -DNEEDS_UNIX_SOCKET=1 \ ++ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-certificates=pki"' \ + -DPIDFILE='"connect-uri-nbds-unix.pid"' \ +- -DURI='"nbds+unix:///?socket=" SOCKET' ++ -DURI='"nbds+unix:///?socket="' # UNIX_SOCKET appended + connect_uri_nbds_unix_CFLAGS = $(WARNINGS_CFLAGS) + connect_uri_nbds_unix_LDADD = $(top_builddir)/lib/libnbd.la + +diff --git a/tests/connect-uri.c b/tests/connect-uri.c +index 6e7d1685..ce9e4d9b 100644 +--- a/tests/connect-uri.c ++++ b/tests/connect-uri.c +@@ -29,16 +29,49 @@ + + #include + ++#ifdef NEEDS_UNIX_SOCKET ++#define UNIX_SOCKET tmp ++static char tmp[] = "/tmp/nbdXXXXXX"; ++ ++static void ++unlink_unix_socket (void) ++{ ++ unlink (UNIX_SOCKET); ++} ++#endif /* NEEDS_UNIX_SOCKET */ ++ + int + main (int argc, char *argv[]) + { + struct nbd_handle *nbd; + pid_t pid; + size_t i; ++#ifdef NEEDS_UNIX_SOCKET ++ char *uri; ++#else ++ const char *uri = URI; ++#endif ++ ++#ifdef NEEDS_UNIX_SOCKET ++ int fd = mkstemp (UNIX_SOCKET); ++ if (fd == -1 || ++ close (fd) == -1) { ++ perror (UNIX_SOCKET); ++ exit (EXIT_FAILURE); ++ } ++ /* We have to remove the temporary file first, since we will create ++ * a socket in its place, and ensure the socket is removed on exit. ++ */ ++ unlink_unix_socket (); ++ atexit (unlink_unix_socket); + +-#ifdef SOCKET +- unlink (SOCKET); ++ /* uri = URI + UNIX_SOCKET */ ++ if (asprintf (&uri, "%s%s", URI, UNIX_SOCKET) == -1) { ++ perror ("asprintf"); ++ exit (EXIT_FAILURE); ++ } + #endif ++ + unlink (PIDFILE); + + pid = fork (); +@@ -75,13 +108,13 @@ main (int argc, char *argv[]) + + nbd_set_uri_allow_local_file (nbd, true); + +- if (nbd_connect_uri (nbd, URI) == -1) { ++ if (nbd_connect_uri (nbd, uri) == -1) { + fprintf (stderr, "%s\n", nbd_get_error ()); + exit (EXIT_FAILURE); + } + + /* Check we negotiated the right kind of connection. */ +- if (strncmp (URI, "nbds", 4) == 0) { ++ if (strncmp (uri, "nbds", 4) == 0) { + if (! nbd_get_tls_negotiated (nbd)) { + fprintf (stderr, "%s: failed to negotiate a TLS connection\n", + argv[0]); +@@ -95,8 +128,8 @@ main (int argc, char *argv[]) + } + + nbd_close (nbd); +-#ifdef SOCKET +- unlink (SOCKET); ++#ifdef NEEDS_UNIX_SOCKET ++ free (uri); + #endif + exit (EXIT_SUCCESS); + } +-- +2.43.0 + diff --git a/0011-lib-Allow-tls-certificates-DIR-query-parameter-in-UR.patch b/0011-lib-Allow-tls-certificates-DIR-query-parameter-in-UR.patch new file mode 100644 index 0000000..4226f72 --- /dev/null +++ b/0011-lib-Allow-tls-certificates-DIR-query-parameter-in-UR.patch @@ -0,0 +1,194 @@ +From ee3f88640062372d04406da321270a775377eb6c Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Fri, 3 Sep 2021 08:42:31 +0100 +Subject: [PATCH] lib: Allow tls-certificates= query parameter in URIs + +For nbd_connect_uri, this allows a non-default path to a certificates +directory to be specified. For example: + + nbds+unix://user@/?socket=/tmp/sock&tls-certificates=tests/pki + +nbd_get_uri is also extended to produce the tls-certificates query +field if nbd_set_tls_certificates was called. + +The main work here is extending the test suite so it actually tests +TLS URIs properly. Firstly we need to add --tls-verify-peer to the +nbdkit command line so it checks TLS client credentials at all +(previously it enabled TLS but didn't verify the client). Then we +need to add tests which use TLS certificates (previously only PSK was +being tested). And finally I loosened the rules for comparing URIs +since the order that query strings are returned by nbd_get_uri is not +necessarily the same as the query strings in nbd_connect_uri. + +(cherry picked from commit 847e0b9830f6a9f07b4c242e1a500cd2b90cca5a) +(cherry picked from commit 5e85582ec79460c95552f06c6d6c41d15dae092f) +--- + .gitignore | 5 +++-- + generator/API.ml | 10 ++++++++++ + lib/uri.c | 14 ++++++++++++-- + tests/Makefile.am | 47 +++++++++++++++++++++++++++++------------------ + 4 files changed, 54 insertions(+), 22 deletions(-) + +diff --git a/.gitignore b/.gitignore +index 4935b81b..c974e27b 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -167,9 +167,10 @@ Makefile.in + /tests/connect-unix + /tests/connect-uri-nbd + /tests/connect-uri-nbd-unix +-/tests/connect-uri-nbds ++/tests/connect-uri-nbds-certs + /tests/connect-uri-nbds-psk +-/tests/connect-uri-nbds-unix ++/tests/connect-uri-nbds-unix-certs ++/tests/connect-uri-nbds-unix-psk + /tests/debug + /tests/debug-environment + /tests/errors +diff --git a/generator/API.ml b/generator/API.ml +index a46c6407..4b2a62e8 100644 +--- a/generator/API.ml ++++ b/generator/API.ml +@@ -1231,6 +1231,11 @@ Connect over the Unix domain socket F to + an NBD server running locally. The export name is set to C + (note without any leading C character). + ++=item C ++ ++Connect over a Unix domain socket, enabling TLS and setting the ++path to a directory containing certificates and keys. ++ + =item C + + In this scenario libnbd is running in a virtual machine. Connect +@@ -1291,6 +1296,11 @@ Specifies the Unix domain socket to connect on. + Must be present for the C<+unix> transport and must not + be present for the other transports. + ++=item BF ++ ++Set the certificates directory. See L. ++Note this is not allowed by default - see next section. ++ + =item BF + + Set the PSK file. See L. Note +diff --git a/lib/uri.c b/lib/uri.c +index 9f5a2901..c8d9041e 100644 +--- a/lib/uri.c ++++ b/lib/uri.c +@@ -249,9 +249,19 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) + if (tls && nbd_unlocked_set_tls (h, LIBNBD_TLS_REQUIRE) == -1) + goto cleanup; + +- /* Look for some tls-* parameters. XXX More to come. */ ++ /* Look for some tls-* parameters. */ + for (i = 0; i < queries.size; i++) { +- if (strcmp (queries.ptr[i].name, "tls-psk-file") == 0) { ++ if (strcmp (queries.ptr[i].name, "tls-certificates") == 0) { ++ if (! h->uri_allow_local_file) { ++ set_error (EPERM, ++ "local file access (tls-certificates) is not allowed, " ++ "call nbd_set_uri_allow_local_file to enable this"); ++ goto cleanup; ++ } ++ if (nbd_unlocked_set_tls_certificates (h, queries.ptr[i].value) == -1) ++ goto cleanup; ++ } ++ else if (strcmp (queries.ptr[i].name, "tls-psk-file") == 0) { + if (! h->uri_allow_local_file) { + set_error (EPERM, + "local file access (tls-psk-file) is not allowed, " +diff --git a/tests/Makefile.am b/tests/Makefile.am +index ed5585a5..3c33b747 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -539,33 +539,32 @@ if HAVE_GNUTLS + if HAVE_CERTTOOL + + check_PROGRAMS += \ +- connect-uri-nbds \ +- connect-uri-nbds-unix \ ++ connect-uri-nbds-certs \ ++ connect-uri-nbds-unix-certs \ + $(NULL) + TESTS += \ +- connect-uri-nbds \ +- connect-uri-nbds-unix \ ++ connect-uri-nbds-certs \ ++ connect-uri-nbds-unix-certs \ + $(NULL) + + RANDOM2 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))") +-connect_uri_nbds_SOURCES = connect-uri.c +-connect_uri_nbds_CPPFLAGS = \ ++connect_uri_nbds_certs_SOURCES = connect-uri.c ++connect_uri_nbds_certs_CPPFLAGS = \ + $(AM_CPPFLAGS) \ +- -DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-certificates=pki"' \ +- -DPIDFILE='"connect-uri-nbds.pid"' \ +- -DURI='"nbds://localhost:$(RANDOM2)/"' \ ++ -DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-verify-peer", "--tls-certificates=pki"' \ ++ -DPIDFILE='"connect-uri-nbds-certs.pid"' \ ++ -DURI='"nbds://localhost:$(RANDOM2)/?tls-certificates=pki"' \ + $(NULL) +-connect_uri_nbds_LDADD = $(top_builddir)/lib/libnbd.la ++connect_uri_nbds_certs_LDADD = $(top_builddir)/lib/libnbd.la + +-connect_uri_nbds_unix_SOURCES = connect-uri.c +-connect_uri_nbds_unix_CPPFLAGS = \ ++connect_uri_nbds_unix_certs_SOURCES = connect-uri.c ++connect_uri_nbds_unix_certs_CPPFLAGS = \ + $(AM_CPPFLAGS) \ + -DNEEDS_UNIX_SOCKET=1 \ +- -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-certificates=pki"' \ +- -DPIDFILE='"connect-uri-nbds-unix.pid"' \ +- -DURI='"nbds+unix:///?socket="' # UNIX_SOCKET appended +-connect_uri_nbds_unix_CFLAGS = $(WARNINGS_CFLAGS) +-connect_uri_nbds_unix_LDADD = $(top_builddir)/lib/libnbd.la ++ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-verify-peer", "--tls-certificates=pki"' \ ++ -DPIDFILE='"connect-uri-nbds-unix-certs.pid"' \ ++ -DURI='"nbds+unix://alice@/?tls-certificates=pki&socket="' # UNIX_SOCKET appended ++connect_uri_nbds_unix_certs_LDADD = $(top_builddir)/lib/libnbd.la + + endif HAVE_CERTTOOL + +@@ -573,21 +572,33 @@ if HAVE_PSKTOOL + + check_PROGRAMS += \ + connect-uri-nbds-psk \ ++ connect-uri-nbds-unix-psk \ + $(NULL) + TESTS += \ + connect-uri-nbds-psk \ ++ connect-uri-nbds-unix-psk \ + $(NULL) + + RANDOM3 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))") + connect_uri_nbds_psk_SOURCES = connect-uri.c + connect_uri_nbds_psk_CPPFLAGS = \ + $(AM_CPPFLAGS) \ +- -DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-psk=keys.psk"' \ ++ -DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \ + -DPIDFILE='"connect-uri-nbds-psk.pid"' \ + -DURI='"nbds://alice@localhost:$(RANDOM3)/?tls-psk-file=keys.psk"' \ + $(NULL) + connect_uri_nbds_psk_LDADD = $(top_builddir)/lib/libnbd.la + ++connect_uri_nbds_unix_psk_SOURCES = connect-uri.c ++connect_uri_nbds_unix_psk_CPPFLAGS = \ ++ $(AM_CPPFLAGS) \ ++ -DNEEDS_UNIX_SOCKET=1 \ ++ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \ ++ -DPIDFILE='"connect-uri-nbds-unix-psk.pid"' \ ++ -DURI='"nbds+unix://alice@/?tls-psk-file=keys.psk&socket="' # UNIX_SOCKET appended \ ++ $(NULL) ++connect_uri_nbds_unix_psk_LDADD = $(top_builddir)/lib/libnbd.la ++ + endif HAVE_PSKTOOL + + endif HAVE_GNUTLS +-- +2.43.0 + diff --git a/0012-tests-make-pki.sh-Use-Subject-Alternative-Name-for-s.patch b/0012-tests-make-pki.sh-Use-Subject-Alternative-Name-for-s.patch new file mode 100644 index 0000000..12e461f --- /dev/null +++ b/0012-tests-make-pki.sh-Use-Subject-Alternative-Name-for-s.patch @@ -0,0 +1,33 @@ +From 10ca0d72932092b09475893de233f17d3eff8a72 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 4 Aug 2022 13:28:25 +0100 +Subject: [PATCH] tests/make-pki.sh: Use Subject Alternative Name for server + certificate + +This allows us to test this feature. + +(cherry picked from nbdkit commit 0c50bef16f9d6705add8db85c7ea7b4523770fba) + +(cherry picked from commit 38eabf6df05fae109212a4ce9afc9c0fe63c2f0e) +(cherry picked from commit b07898e1ee70b0641ec5233d6e8f7fa16b63c287) +--- + tests/make-pki.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/make-pki.sh b/tests/make-pki.sh +index d4f61204..03f4faa1 100755 +--- a/tests/make-pki.sh ++++ b/tests/make-pki.sh +@@ -75,6 +75,9 @@ chmod 0600 $1/server-key.pem + cat > $1/server.info < +Date: Mon, 24 Jun 2024 10:48:12 +0100 +Subject: [PATCH] lib/crypto.c: Check server certificate even when using system + CA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The previous code checked the server certificate only when a custom +certificate directory was set (ie. nbd_set_tls_certificates / +?tls-certificates=DIR). In the fallback case where we use the system +CA, we never called gnutls_session_set_verify_cert and so the server +certificate was never checked. + +Move the call to gnutls_session_set_verify_cert later so it is called +on both paths. + +If the server certificate does not match the hostname you will see: + +nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1) + +Reported-by: Jon Szymaniak +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a) +(cherry picked from commit 81bd57bb8ab0b142207efb9f69a233418fbb4f8f) +--- + lib/crypto.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/crypto.c b/lib/crypto.c +index 705e114a..4c398b03 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -513,9 +513,6 @@ set_up_certificate_credentials (struct nbd_handle *h, + return NULL; + + found_certificates: +- if (h->hostname && h->tls_verify_peer) +- gnutls_session_set_verify_cert (session, h->hostname, 0); +- + err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret); + if (err < 0) { + set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err)); +@@ -625,6 +622,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h, + gnutls_deinit (session); + return NULL; + } ++ ++ if (h->hostname && h->tls_verify_peer) ++ gnutls_session_set_verify_cert (session, h->hostname, 0); + } + + /* Wrap the underlying socket with GnuTLS. */ +-- +2.43.0 + diff --git a/0014-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch b/0014-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch new file mode 100644 index 0000000..d8fe97d --- /dev/null +++ b/0014-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch @@ -0,0 +1,76 @@ +From 17dc75c8235af7126b3820d5e0be3488efe74671 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 24 Jun 2024 10:31:10 +0100 +Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is + not set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Calling gnutls_session_set_verify_cert with the hostname parameter set +to NULL is permitted: +https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert + +It means that the server's hostname in the certificate will not be +verified but we can at least check that the certificate was signed by +the CA. This allows the CA to be checked even for connections over +Unix domain sockets. + +Example: + + $ rm -f /tmp/sock + $ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G & + +Before this change: + + $ nbdinfo 'nbds+unix://?socket=/tmp/sock' + protocol: newstyle-fixed with TLS, using structured packets + export="": + export-size: 1073741824 (1G) + content: data + uri: nbds+unix:///?socket=/tmp/sock + [etc] + +(works because it never called gnutls_session_set_verify_cert). + +After this change: + + $ nbdinfo 'nbds+unix://?socket=/tmp/sock' + nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1) + +(fails because system CA does not know about nbdkit's certificate +which is signed by the CA from the nbdkit/tests/pki directory) + + $ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki' + protocol: newstyle-fixed with TLS, using structured packets + export="": + export-size: 1073741824 (1G) + content: data + uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki + [etc] + +(works because we supplied the correct CA) + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d) +(cherry picked from commit 42ee6d8dd919b241b1f1510f5759673b26fc9731) +--- + lib/crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/crypto.c b/lib/crypto.c +index 4c398b03..a5177bbb 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -623,7 +623,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h, + return NULL; + } + +- if (h->hostname && h->tls_verify_peer) ++ if (h->tls_verify_peer) + gnutls_session_set_verify_cert (session, h->hostname, 0); + } + +-- +2.43.0 + diff --git a/0015-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch b/0015-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch new file mode 100644 index 0000000..c2c24d4 --- /dev/null +++ b/0015-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch @@ -0,0 +1,90 @@ +From 1f82b6d2d894bf567926f4ae52f4362654db8f38 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 25 Jun 2024 11:12:56 +0100 +Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Older versions of libnbd didn't always check the server certificate. +Since some clients might be depending on this, allow +?tls-verify-peer=false in URIs to skip this check. + +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401) +(cherry picked from commit caad9cfb5dda0957c4b15cc85738a4c6ac856e8b) +(cherry picked from commit 4bfc3176de535350f884732b8793574e37714d2a) +--- + generator/API.ml | 5 +++++ + lib/uri.c | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 37 insertions(+) + +diff --git a/generator/API.ml b/generator/API.ml +index 4b2a62e8..69ee428d 100644 +--- a/generator/API.ml ++++ b/generator/API.ml +@@ -1306,6 +1306,11 @@ Note this is not allowed by default - see next section. + Set the PSK file. See L. Note + this is not allowed by default - see next section. + ++=item B ++ ++Do not verify the server certificate. See L. ++The default is C. ++ + =back + + =head2 Disable URI features +diff --git a/lib/uri.c b/lib/uri.c +index c8d9041e..8dfefd00 100644 +--- a/lib/uri.c ++++ b/lib/uri.c +@@ -140,6 +140,31 @@ error: + return -1; + } + ++/* Similar to nbdkit_parse_bool */ ++int ++parse_bool (const char *param, const char *value) ++{ ++ if (!strcmp (value, "1") || ++ !strcasecmp (value, "true") || ++ !strcasecmp (value, "t") || ++ !strcasecmp (value, "yes") || ++ !strcasecmp (value, "y") || ++ !strcasecmp (value, "on")) ++ return 1; ++ ++ if (!strcmp (value, "0") || ++ !strcasecmp (value, "false") || ++ !strcasecmp (value, "f") || ++ !strcasecmp (value, "no") || ++ !strcasecmp (value, "n") || ++ !strcasecmp (value, "off")) ++ return 0; ++ ++ set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false", ++ param, param); ++ return -1; ++} ++ + int + nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) + { +@@ -271,6 +296,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri) + if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1) + goto cleanup; + } ++ else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) { ++ int v = parse_bool ("tls-verify-peer", queries.ptr[i].value); ++ if (v == -1) ++ goto cleanup; ++ if (nbd_unlocked_set_tls_verify_peer (h, v) == -1) ++ goto cleanup; ++ } + } + + /* Username. */ +-- +2.43.0 + diff --git a/0016-docs-security-Add-link-to-TLS-server-certificate-che.patch b/0016-docs-security-Add-link-to-TLS-server-certificate-che.patch new file mode 100644 index 0000000..8a6556b --- /dev/null +++ b/0016-docs-security-Add-link-to-TLS-server-certificate-che.patch @@ -0,0 +1,32 @@ +From 437d3aedd5ecbcb8d5234665015c5813a6ca1712 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Tue, 25 Jun 2024 17:53:47 +0100 +Subject: [PATCH] docs: security: Add link to TLS server certificate checking + announcement + +(cherry picked from commit 9c723aa660c6ee7d224afbfc16eb7450d21fb9cf) +(cherry picked from commit 9b77d853d82c291f74b51305d58e9db7f555a254) +(cherry picked from commit b477be4ed47daa6ba73c176ae8b0288ec8e84f23) +--- + docs/libnbd-security.pod | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod +index 0cae8462..b31f3f8b 100644 +--- a/docs/libnbd-security.pod ++++ b/docs/libnbd-security.pod +@@ -28,6 +28,11 @@ denial of service when using L + See the full announcement here: + L + ++=head2 multiple flaws in TLS server certificate checking ++ ++See the full announcement here: ++L ++ + =head1 SEE ALSO + + L. +-- +2.43.0 + diff --git a/0017-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch b/0017-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch new file mode 100644 index 0000000..efe2348 --- /dev/null +++ b/0017-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch @@ -0,0 +1,34 @@ +From 626331d88fdf8ed87dc066faeb836fc5926f5420 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 1 Aug 2024 15:17:29 +0100 +Subject: [PATCH] docs/libnbd-security.pod: Assign CVE-2024-7383 + +CVE-2024-7383 was assigned to the (already published & fixed) flaws +found in libnbd certificate checking. + +Reported-by: Jon Szymaniak +Thanks: Mauro Matteo Cascella +(cherry picked from commit 81a22ac6697ccdeb13509aba3072609251d1378b) +(cherry picked from commit 599281af594db8414d856db409846b04fce03824) +(cherry picked from commit 8f7dce2b6d6716f9eec0f352a3c420ae84a84be9) +--- + docs/libnbd-security.pod | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod +index b31f3f8b..4c3b5bbd 100644 +--- a/docs/libnbd-security.pod ++++ b/docs/libnbd-security.pod +@@ -28,7 +28,8 @@ denial of service when using L + See the full announcement here: + L + +-=head2 multiple flaws in TLS server certificate checking ++=head2 CVE-2024-7383 ++multiple flaws in TLS server certificate checking + + See the full announcement here: + L +-- +2.43.0 + diff --git a/copy-patches.sh b/copy-patches.sh index e00af4e..36f191b 100755 --- a/copy-patches.sh +++ b/copy-patches.sh @@ -6,7 +6,7 @@ set -e # directory. Use it like this: # ./copy-patches.sh -rhel_version=8.6 +rhel_version=8.10 # Check we're in the right directory. if [ ! -f libnbd.spec ]; then diff --git a/libnbd.spec b/libnbd.spec index 0020064..983cbcc 100644 --- a/libnbd.spec +++ b/libnbd.spec @@ -9,7 +9,7 @@ Name: libnbd Version: 1.6.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: NBD client library in userspace License: LGPLv2+ @@ -26,7 +26,7 @@ Source2: libguestfs.keyring Source3: copy-patches.sh # Patches come from this upstream branch: -# https://github.com/libguestfs/libnbd/tree/rhel-8.6 +# https://github.com/libguestfs/libnbd/tree/rhel-8.10 # Patches. Patch0001: 0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch @@ -36,6 +36,16 @@ Patch0004: 0004-opt_go-Tolerate-unplanned-server-death.patch Patch0005: 0005-security-Document-assignment-of-CVE-2021-20286.patch Patch0006: 0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch Patch0007: 0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch +Patch0008: 0008-build-Move-to-minimum-gnutls-3.5.18.patch +Patch0009: 0009-tests-Factor-out-some-common-Makefile-flags.patch +Patch0010: 0010-tests-connect-uri.c-Ensure-Unix-domain-socket-is-cle.patch +Patch0011: 0011-lib-Allow-tls-certificates-DIR-query-parameter-in-UR.patch +Patch0012: 0012-tests-make-pki.sh-Use-Subject-Alternative-Name-for-s.patch +Patch0013: 0013-lib-crypto.c-Check-server-certificate-even-when-usin.patch +Patch0014: 0014-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch +Patch0015: 0015-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch +Patch0016: 0016-docs-security-Add-link-to-TLS-server-certificate-che.patch +Patch0017: 0017-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool @@ -312,6 +322,10 @@ make %{?_smp_mflags} check || { %changelog +* Tue Aug 27 2024 Richard W.M. Jones - 1.6.0-6.el8 +- Fix CVE-2024-7383 NBD server improper certificate validation + resolves: RHEL-52728 + * Mon Feb 7 2022 Richard W.M. Jones - 1.6.0-5.el8 - Fix CVE-2022-0485: Fail nbdcopy if NBD read or write fails resolves: rhbz#2045718