Fix CVE-2024-7383 NBD server improper certificate validation

resolves: RHEL-52728
This commit is contained in:
Richard W.M. Jones 2024-08-27 19:33:03 +01:00
parent 0c87f03679
commit 771d9ffc13
19 changed files with 1523 additions and 23 deletions

View File

@ -14,7 +14,7 @@ Fixes: commit 28fe8d9d8d1ecb491070d20f22e2f34bb147f19f
1 file changed, 1 insertion(+)
diff --git a/copy/copy-nbd-to-sparse-file.sh b/copy/copy-nbd-to-sparse-file.sh
index aa2cb1b..47ff09a 100755
index aa2cb1b9..47ff09ae 100755
--- a/copy/copy-nbd-to-sparse-file.sh
+++ b/copy/copy-nbd-to-sparse-file.sh
@@ -24,6 +24,7 @@ set -x
@ -26,5 +26,5 @@ index aa2cb1b..47ff09a 100755
requires test -r /dev/zero
--
2.31.1
2.43.0

View File

@ -12,7 +12,7 @@ commit easier.
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/generator/states-connect.c b/generator/states-connect.c
index 392879d..03b34c7 100644
index 392879d4..03b34c7d 100644
--- a/generator/states-connect.c
+++ b/generator/states-connect.c
@@ -47,11 +47,12 @@ disable_nagle (int sock)
@ -53,5 +53,5 @@ index 392879d..03b34c7 100644
CONNECT.CONNECTING:
--
2.31.1
2.43.0

View File

@ -17,7 +17,7 @@ Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
1 file changed, 16 insertions(+)
diff --git a/generator/states-connect.c b/generator/states-connect.c
index 03b34c7..98c26e5 100644
index 03b34c7d..98c26e54 100644
--- a/generator/states-connect.c
+++ b/generator/states-connect.c
@@ -70,6 +70,22 @@ STATE_MACHINE {
@ -44,5 +44,5 @@ index 03b34c7..98c26e5 100644
set_error (errno, "connect");
return 0;
--
2.31.1
2.43.0

View File

@ -24,7 +24,7 @@ Fixes: bbf1c51392 (api: Give aio_opt_go a completion callback)
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/lib/opt.c b/lib/opt.c
index 2317b72..e5802f4 100644
index 2317b72a..e5802f4d 100644
--- a/lib/opt.c
+++ b/lib/opt.c
@@ -1,5 +1,5 @@
@ -55,5 +55,5 @@ index 2317b72..e5802f4 100644
return -1;
}
--
2.31.1
2.43.0

View File

@ -13,7 +13,7 @@ Fixes: fb4440de9cc7 (opt_go: Tolerate unplanned server death)
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
index d8ead87..0cae846 100644
index d8ead875..0cae8462 100644
--- a/docs/libnbd-security.pod
+++ b/docs/libnbd-security.pod
@@ -22,6 +22,12 @@ L<https://www.redhat.com/archives/libguestfs/2019-September/msg00128.html>
@ -36,5 +36,5 @@ index d8ead87..0cae846 100644
-Copyright (C) 2019 Red Hat Inc.
+Copyright (C) 2019-2021 Red Hat Inc.
--
2.31.1
2.43.0

View File

@ -47,7 +47,7 @@ Conflicts:
2 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/copy/file-ops.c b/copy/file-ops.c
index 086348a..cc312b4 100644
index 086348a2..cc312b48 100644
--- a/copy/file-ops.c
+++ b/copy/file-ops.c
@@ -1,5 +1,5 @@
@ -114,7 +114,7 @@ index 086348a..cc312b4 100644
exit (EXIT_FAILURE);
}
diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c
index a7aaa7d..2593ff7 100644
index a7aaa7de..2593ff76 100644
--- a/copy/multi-thread-copying.c
+++ b/copy/multi-thread-copying.c
@@ -1,5 +1,5 @@
@ -159,5 +159,5 @@ index a7aaa7d..2593ff7 100644
static int
--
2.31.1
2.43.0

View File

@ -78,7 +78,7 @@ a potential leak of nbdcopy heap contents into the destination.
create mode 100755 copy/copy-nbd-error.sh
diff --git a/TODO b/TODO
index 510c219..19c21d4 100644
index 510c219a..19c21d44 100644
--- a/TODO
+++ b/TODO
@@ -35,6 +35,7 @@ nbdcopy:
@ -90,7 +90,7 @@ index 510c219..19c21d4 100644
nbdfuse:
- If you write beyond the end of the virtual file, it returns EIO.
diff --git a/copy/Makefile.am b/copy/Makefile.am
index d318388..3406cd8 100644
index d318388f..3406cd85 100644
--- a/copy/Makefile.am
+++ b/copy/Makefile.am
@@ -1,5 +1,5 @@
@ -118,7 +118,7 @@ index d318388..3406cd8 100644
copy-sparse-allocated.sh \
diff --git a/copy/copy-nbd-error.sh b/copy/copy-nbd-error.sh
new file mode 100755
index 0000000..bba71db
index 00000000..bba71db5
--- /dev/null
+++ b/copy/copy-nbd-error.sh
@@ -0,0 +1,81 @@
@ -204,7 +204,7 @@ index 0000000..bba71db
+
+exit $fail
diff --git a/copy/file-ops.c b/copy/file-ops.c
index cc312b4..b19af04 100644
index cc312b48..b19af04c 100644
--- a/copy/file-ops.c
+++ b/copy/file-ops.c
@@ -162,10 +162,8 @@ file_asynch_read (struct rw *rw,
@ -246,7 +246,7 @@ index cc312b4..b19af04 100644
}
diff --git a/copy/multi-thread-copying.c b/copy/multi-thread-copying.c
index 2593ff7..28749ae 100644
index 2593ff76..28749ae7 100644
--- a/copy/multi-thread-copying.c
+++ b/copy/multi-thread-copying.c
@@ -28,6 +28,7 @@
@ -284,7 +284,7 @@ index 2593ff7..28749ae 100644
if (--buffer->refs == 0) {
free (buffer->data);
diff --git a/copy/nbdcopy.h b/copy/nbdcopy.h
index 3dcc6df..9626a52 100644
index 3dcc6dfe..9626a52c 100644
--- a/copy/nbdcopy.h
+++ b/copy/nbdcopy.h
@@ -1,5 +1,5 @@
@ -314,5 +314,5 @@ index 3dcc6df..9626a52 100644
bool (*asynch_zero) (struct rw *rw, struct command *command,
nbd_completion_callback cb);
--
2.31.1
2.43.0

View File

@ -0,0 +1,94 @@
From cd4f3bed33d5ffdba6846d270c0e11713bc1caf6 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 10:55:54 +0100
Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This version matches current qemu.
RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which
means TLS will be disabled on this platform. RHEL 8 has gnutls 3.6.14.
I also unconditionally enabled the gnutls/socket.h header. This
header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7.
On RHEL 7 the configure-time test now prints:
checking for GNUTLS... no
configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled.
...
Optional library features:
TLS support ............................ no
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e)
(cherry picked from commit cb6df4f81a97d5d58385d89b0135039f1eddee15)
---
configure.ac | 12 +++---------
lib/crypto.c | 5 +----
2 files changed, 4 insertions(+), 13 deletions(-)
diff --git a/configure.ac b/configure.ac
index da3dc38a..29e3b47a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -94,12 +94,13 @@ AC_ARG_WITH([gnutls],
[],
[with_gnutls=check])
AS_IF([test "$with_gnutls" != "no"],[
- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
+ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
+ printf "gnutls version is "; $PKG_CONFIG --modversion gnutls
AC_SUBST([GNUTLS_CFLAGS])
AC_SUBST([GNUTLS_LIBS])
AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
], [
- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
+ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
])
])
AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
@@ -114,13 +115,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
AC_MSG_RESULT([$tls_priority])
AC_DEFINE_UNQUOTED([TLS_PRIORITY],["$tls_priority"],
[Default TLS session priority string])
-
- # Check for APIs which may not be present.
- old_LIBS="$LIBS"
- LIBS="$GNUTLS_LIBS $LIBS"
- AC_CHECK_FUNCS([\
- gnutls_session_set_verify_cert])
- LIBS="$old_LIBS"
])
dnl certtool (part of GnuTLS) for testing TLS with certificates.
diff --git a/lib/crypto.c b/lib/crypto.c
index a9b3789c..705e114a 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -28,6 +28,7 @@
#ifdef HAVE_GNUTLS
#include <gnutls/gnutls.h>
+#include <gnutls/socket.h>
#endif
#include "internal.h"
@@ -512,12 +513,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
return NULL;
found_certificates:
-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
if (h->hostname && h->tls_verify_peer)
gnutls_session_set_verify_cert (session, h->hostname, 0);
-#else
- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
-#endif
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
if (err < 0) {
--
2.43.0

View File

@ -0,0 +1,727 @@
From a852cec30a6540b5c1ea2947195454eef6269944 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Fri, 27 Aug 2021 15:12:12 +0100
Subject: [PATCH] tests: Factor out some common Makefile flags
We can use AM_CPPFLAGS, AM_CFLAGS etc to factor out some common flags
in the tests. Note the rules here are complicated, see:
https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
and for unclear reasons there is no AM_LDADD nor any workaround:
https://stackoverflow.com/questions/29252969/automake-am-ldadd-workaround
This commit is mostly pure refactoring but it also tries to make the
flags usage more consistent across tests so it may have side-effects
like enabling more warnings.
(cherry picked from commit 5fd648f821e9ab3ee08bf360348d1fb01537a267)
(cherry picked from commit 6cb1f74b09beca1ddaef794136f221bfb7bb4faa)
---
interop/Makefile.am | 57 ++++++-------
tests/Makefile.am | 190 ++++++++++++++++++--------------------------
2 files changed, 104 insertions(+), 143 deletions(-)
diff --git a/interop/Makefile.am b/interop/Makefile.am
index 9787c26e..9432ad43 100644
--- a/interop/Makefile.am
+++ b/interop/Makefile.am
@@ -28,6 +28,16 @@ LOG_COMPILER = $(top_builddir)/run
check_PROGRAMS =
TESTS =
+# Common flags.
+# Note there is no such thing as "AM_LDADD".
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/include \
+ -I$(top_srcdir)/tests \
+ $(NULL)
+AM_CFLAGS = \
+ $(WARNINGS_CFLAGS) \
+ $(NULL)
+
if HAVE_NBD_SERVER
check_PROGRAMS += \
@@ -41,22 +51,20 @@ TESTS += \
interop_nbd_server_SOURCES = interop.c
interop_nbd_server_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBD_SERVER)\" \
-DSERVER_PARAMS='"-d", "-C", "/dev/null", "0", tmpfile' \
-DEXPORT_NAME='""'
-interop_nbd_server_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbd_server_LDADD = $(top_builddir)/lib/libnbd.la
list_exports_nbd_server_SOURCES = list-exports.c
list_exports_nbd_server_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBD_SERVER)\" \
-DSERVER_PARAMS='"-C", "$(srcdir)/list-exports-nbd-config", "-d", "0"' \
-DEXPORTS='"disk1", "disk2"' \
-DDESCRIPTIONS='"", ""' \
$(NULL)
-list_exports_nbd_server_CFLAGS = $(WARNINGS_CFLAGS)
list_exports_nbd_server_LDADD = $(top_builddir)/lib/libnbd.la
endif HAVE_NBD_SERVER
@@ -104,19 +112,18 @@ endif
interop_qemu_nbd_SOURCES = interop.c
interop_qemu_nbd_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSOCKET_ACTIVATION=1 \
-DSERVER=\"$(QEMU_NBD)\" \
-DSERVER_PARAMS='"-f", "raw", "-x", "/", tmpfile' \
-DEXPORT_NAME='"/"' \
$(NULL)
-interop_qemu_nbd_CFLAGS = $(WARNINGS_CFLAGS)
interop_qemu_nbd_LDADD = $(top_builddir)/lib/libnbd.la
# qemu-nbd requires absolute path to dir
interop_qemu_nbd_tls_certs_SOURCES = interop.c
interop_qemu_nbd_tls_certs_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSOCKET_ACTIVATION=1 \
-DSERVER=\"$(QEMU_NBD)\" \
-DSERVER_PARAMS='"--object", "tls-creds-x509,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests/pki", "--tls-creds", "tls0", "-f", "raw", "-x", "/", tmpfile' \
@@ -124,13 +131,12 @@ interop_qemu_nbd_tls_certs_CPPFLAGS = \
-DCERTS=1 \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
-interop_qemu_nbd_tls_certs_CFLAGS = $(WARNINGS_CFLAGS)
interop_qemu_nbd_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la
# qemu-nbd requires absolute path to dir
interop_qemu_nbd_tls_psk_SOURCES = interop.c
interop_qemu_nbd_tls_psk_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSOCKET_ACTIVATION=1 \
-DSERVER=\"$(QEMU_NBD)\" \
-DSERVER_PARAMS='"--object", "tls-creds-psk,id=tls0,endpoint=server,dir=$(abs_top_builddir)/tests", "--tls-creds", "tls0", "-f", "raw", "-x", "/", tmpfile' \
@@ -138,7 +144,6 @@ interop_qemu_nbd_tls_psk_CPPFLAGS = \
-DPSK=1 \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
-interop_qemu_nbd_tls_psk_CFLAGS = $(WARNINGS_CFLAGS)
interop_qemu_nbd_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la
dirty_bitmap_SOURCES = dirty-bitmap.c
@@ -148,28 +153,24 @@ dirty_bitmap_LDADD = $(top_builddir)/lib/libnbd.la
list_exports_qemu_nbd_SOURCES = list-exports.c
list_exports_qemu_nbd_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSOCKET_ACTIVATION=1 \
-DSERVER=\"$(QEMU_NBD)\" \
-DSERVER_PARAMS='"-f", "raw", "-x", "testing", "-D", "data", tmpfile' \
-DEXPORTS='"testing"' \
-DDESCRIPTIONS='"data"' \
$(NULL)
-list_exports_qemu_nbd_CFLAGS = $(WARNINGS_CFLAGS)
list_exports_qemu_nbd_LDADD = $(top_builddir)/lib/libnbd.la
socket_activation_qemu_nbd_SOURCES = socket-activation.c
socket_activation_qemu_nbd_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(QEMU_NBD)\" \
-DSERVER_PARAMS='"-f", "raw", "-x", "", tmpfile' \
$(NULL)
-socket_activation_qemu_nbd_CFLAGS = $(WARNINGS_CFLAGS)
socket_activation_qemu_nbd_LDADD = $(top_builddir)/lib/libnbd.la
structured_read_SOURCES = structured-read.c
-structured_read_CPPFLAGS = -I$(top_srcdir)/include
-structured_read_CFLAGS = $(WARNINGS_CFLAGS)
structured_read_LDADD = $(top_builddir)/lib/libnbd.la
endif HAVE_QEMU_NBD
@@ -215,88 +216,80 @@ endif
interop_nbdkit_SOURCES = interop.c
interop_nbdkit_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"-s", "--exit-with-parent", "file", tmpfile' \
$(NULL)
-interop_nbdkit_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_LDADD = $(top_builddir)/lib/libnbd.la
interop_nbdkit_tls_certs_SOURCES = interop.c
interop_nbdkit_tls_certs_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", tmpfile' \
-DCERTS=1 \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
-interop_nbdkit_tls_certs_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la
interop_nbdkit_tls_certs_allow_enabled_SOURCES = interop.c
interop_nbdkit_tls_certs_allow_enabled_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "file", tmpfile' \
-DCERTS=1 \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
$(NULL)
-interop_nbdkit_tls_certs_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_certs_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la
interop_nbdkit_tls_certs_allow_fallback_SOURCES = interop.c
interop_nbdkit_tls_certs_allow_fallback_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \
-DCERTS=1 \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
-DTLS_FALLBACK=1 \
$(NULL)
-interop_nbdkit_tls_certs_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_certs_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la
interop_nbdkit_tls_psk_SOURCES = interop.c
interop_nbdkit_tls_psk_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", tmpfile' \
-DPSK=1 \
-DTLS_MODE=LIBNBD_TLS_REQUIRE \
$(NULL)
-interop_nbdkit_tls_psk_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la
interop_nbdkit_tls_psk_allow_enabled_SOURCES = interop.c
interop_nbdkit_tls_psk_allow_enabled_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=require", "--tls-psk=../tests/keys.psk", "-s", "--exit-with-parent", "file", tmpfile' \
-DPSK=1 \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
$(NULL)
-interop_nbdkit_tls_psk_allow_enabled_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_psk_allow_enabled_LDADD = $(top_builddir)/lib/libnbd.la
interop_nbdkit_tls_psk_allow_fallback_SOURCES = interop.c
interop_nbdkit_tls_psk_allow_fallback_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"--tls=off", "-s", "--exit-with-parent", "file", tmpfile' \
-DPSK=1 \
-DTLS_MODE=LIBNBD_TLS_ALLOW \
-DTLS_FALLBACK=1 \
$(NULL)
-interop_nbdkit_tls_psk_allow_fallback_CFLAGS = $(WARNINGS_CFLAGS)
interop_nbdkit_tls_psk_allow_fallback_LDADD = $(top_builddir)/lib/libnbd.la
socket_activation_nbdkit_SOURCES = socket-activation.c
socket_activation_nbdkit_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER=\"$(NBDKIT)\" \
-DSERVER_PARAMS='"file", tmpfile' \
$(NULL)
-socket_activation_nbdkit_CFLAGS = $(WARNINGS_CFLAGS)
socket_activation_nbdkit_LDADD = $(top_builddir)/lib/libnbd.la
endif HAVE_NBDKIT
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 64320cad..436e1c10 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -52,6 +52,18 @@ TESTS_ENVIRONMENT = srcdir=$(srcdir) LIBNBD_DEBUG=1
# Use the ./run script so we're always using the local library and tools.
LOG_COMPILER = $(top_builddir)/run
+# Common flags.
+# Note there is no such thing as "AM_LDADD".
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/include \
+ $(NULL)
+AM_CFLAGS = \
+ $(WARNINGS_CFLAGS) \
+ $(NULL)
+AM_CXXFLAGS = \
+ $(WARNINGS_CFLAGS) \
+ $(NULL)
+
#----------------------------------------------------------------------
# The following tests do not need an NBD server.
@@ -81,45 +93,30 @@ TESTS += \
.PHONY: compile
compile_header_only_SOURCES = compile-header-only.c
-compile_header_only_CPPFLAGS = -I$(top_srcdir)/include
-compile_header_only_CFLAGS = $(WARNINGS_CFLAGS)
compile_header_only_LDADD = $(top_builddir)/lib/libnbd.la
compile_c_SOURCES = compile.c
-compile_c_CPPFLAGS = -I$(top_srcdir)/include
-compile_c_CFLAGS = $(WARNINGS_CFLAGS)
compile_c_LDADD = $(top_builddir)/lib/libnbd.la
compile_ansi_c_SOURCES = compile-ansi-c.c
compile_ansi_c_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-std=c90 -pedantic
-compile_ansi_c_CFLAGS = $(WARNINGS_CFLAGS)
compile_ansi_c_LDADD = $(top_builddir)/lib/libnbd.la
close_null_SOURCES = close-null.c
-close_null_CPPFLAGS = -I$(top_srcdir)/include
-close_null_CFLAGS = $(WARNINGS_CFLAGS)
close_null_LDADD = $(top_builddir)/lib/libnbd.la
debug_SOURCES = debug.c
-debug_CPPFLAGS = -I$(top_srcdir)/include
-debug_CFLAGS = $(WARNINGS_CFLAGS)
debug_LDADD = $(top_builddir)/lib/libnbd.la
debug_environment_SOURCES = debug-environment.c
-debug_environment_CPPFLAGS = -I$(top_srcdir)/include
-debug_environment_CFLAGS = $(WARNINGS_CFLAGS)
debug_environment_LDADD = $(top_builddir)/lib/libnbd.la
version_SOURCES = version.c
-version_CPPFLAGS = -I$(top_srcdir)/include
-version_CFLAGS = $(WARNINGS_CFLAGS)
version_LDADD = $(top_builddir)/lib/libnbd.la
export_name_SOURCES = export-name.c
-export_name_CPPFLAGS = -I$(top_srcdir)/include
-export_name_CFLAGS = $(WARNINGS_CFLAGS)
export_name_LDADD = $(top_builddir)/lib/libnbd.la
if HAVE_CXX
@@ -128,8 +125,6 @@ check_PROGRAMS += compile-cxx
TESTS += compile-cxx
compile_cxx_SOURCES = compile-cxx.cpp
-compile_cxx_CPPFLAGS = -I$(top_srcdir)/include
-compile_cxx_CXXFLAGS = $(WARNINGS_CFLAGS)
compile_cxx_LDADD = $(top_builddir)/lib/libnbd.la
endif HAVE_CXX
@@ -220,243 +215,208 @@ TESTS += \
$(NULL)
errors_SOURCES = errors.c
-errors_CPPFLAGS = -I$(top_srcdir)/include
-errors_CFLAGS = $(WARNINGS_CFLAGS)
errors_LDADD = $(top_builddir)/lib/libnbd.la
server_death_SOURCES = server-death.c
-server_death_CPPFLAGS = -I$(top_srcdir)/include
-server_death_CFLAGS = $(WARNINGS_CFLAGS)
server_death_LDADD = $(top_builddir)/lib/libnbd.la
shutdown_flags_SOURCES = shutdown-flags.c
-shutdown_flags_CPPFLAGS = -I$(top_srcdir)/include
-shutdown_flags_CFLAGS = $(WARNINGS_CFLAGS)
shutdown_flags_LDADD = $(top_builddir)/lib/libnbd.la
get_size_SOURCES = get-size.c
-get_size_CPPFLAGS = -I$(top_srcdir)/include
-get_size_CFLAGS = $(WARNINGS_CFLAGS)
get_size_LDADD = $(top_builddir)/lib/libnbd.la
read_only_flag_SOURCES = read-only-flag.c
-read_only_flag_CPPFLAGS = -I$(top_srcdir)/include
-read_only_flag_CFLAGS = $(WARNINGS_CFLAGS)
read_only_flag_LDADD = $(top_builddir)/lib/libnbd.la
read_write_flag_SOURCES = read-write-flag.c
-read_write_flag_CPPFLAGS = -I$(top_srcdir)/include
-read_write_flag_CFLAGS = $(WARNINGS_CFLAGS)
read_write_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_flush_flag_SOURCES = eflags.c
can_flush_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_flush \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_flush \
$(NULL)
-can_flush_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_flush_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_flush_flag_SOURCES = eflags.c
can_not_flush_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_flush -Dvalue=false \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_flush -Dvalue=false \
$(NULL)
-can_not_flush_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_flush_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_fua_flag_SOURCES = eflags.c
can_fua_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_fua -Dvalue=native \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_fua -Dvalue=native \
$(NULL)
-can_fua_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_fua_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_fua_flag_SOURCES = eflags.c
can_not_fua_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_fua -Dvalue=none \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_fua -Dvalue=none \
$(NULL)
-can_not_fua_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_fua_flag_LDADD = $(top_builddir)/lib/libnbd.la
is_rotational_flag_SOURCES = eflags.c
is_rotational_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=is_rotational \
+ $(AM_CPPFLAGS) \
+ -Dflag=is_rotational \
$(NULL)
-is_rotational_flag_CFLAGS = $(WARNINGS_CFLAGS)
is_rotational_flag_LDADD = $(top_builddir)/lib/libnbd.la
is_not_rotational_flag_SOURCES = eflags.c
is_not_rotational_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=is_rotational -Dvalue=false \
+ $(AM_CPPFLAGS) \
+ -Dflag=is_rotational -Dvalue=false \
$(NULL)
-is_not_rotational_flag_CFLAGS = $(WARNINGS_CFLAGS)
is_not_rotational_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_trim_flag_SOURCES = eflags.c
can_trim_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_trim \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_trim \
$(NULL)
-can_trim_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_trim_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_trim_flag_SOURCES = eflags.c
can_not_trim_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_trim -Dvalue=false \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_trim -Dvalue=false \
$(NULL)
-can_not_trim_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_trim_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_zero_flag_SOURCES = eflags.c
can_zero_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_zero \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_zero \
$(NULL)
-can_zero_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_zero_flag_SOURCES = eflags.c
can_not_zero_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_zero -Dvalue=false \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_zero -Dvalue=false \
-Dfilter='"--filter=nozero"' \
$(NULL)
-can_not_zero_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_fast_zero_flag_SOURCES = eflags.c
can_fast_zero_flag_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/include -Dflag=can_fast_zero \
-Drequire='"has_can_fast_zero=1"' \
$(NULL)
-can_fast_zero_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_fast_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_fast_zero_flag_SOURCES = eflags.c
can_not_fast_zero_flag_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/include -Dflag=can_fast_zero -Dvalue=false \
-Drequire='"has_can_fast_zero=1"' \
$(NULL)
-can_not_fast_zero_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_fast_zero_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_df_flag_SOURCES = eflags.c
can_df_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_df \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_df \
$(NULL)
-can_df_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_df_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_df_flag_SOURCES = eflags.c
can_not_df_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_df -Dvalue=false -Dno_sr \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_df -Dvalue=false -Dno_sr \
$(NULL)
-can_not_df_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_df_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_multi_conn_flag_SOURCES = eflags.c
can_multi_conn_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_multi_conn \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_multi_conn \
$(NULL)
-can_multi_conn_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_multi_conn_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_multi_conn_flag_SOURCES = eflags.c
can_not_multi_conn_flag_CPPFLAGS = \
- -I$(top_srcdir)/include -Dflag=can_multi_conn -Dvalue=false \
+ $(AM_CPPFLAGS) \
+ -Dflag=can_multi_conn -Dvalue=false \
$(NULL)
-can_not_multi_conn_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_multi_conn_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_cache_flag_SOURCES = eflags.c
can_cache_flag_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/include -Dflag=can_cache -Dvalue=native \
-Drequire='"has_can_cache=1"' \
$(NULL)
-can_cache_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_cache_flag_LDADD = $(top_builddir)/lib/libnbd.la
can_not_cache_flag_SOURCES = eflags.c
can_not_cache_flag_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/include -Dflag=can_cache -Dvalue=none \
-Drequire='"has_can_cache=1"' \
$(NULL)
-can_not_cache_flag_CFLAGS = $(WARNINGS_CFLAGS)
can_not_cache_flag_LDADD = $(top_builddir)/lib/libnbd.la
oldstyle_SOURCES = oldstyle.c
-oldstyle_CPPFLAGS = -I$(top_srcdir)/include
-oldstyle_CFLAGS = $(WARNINGS_CFLAGS)
oldstyle_LDADD = $(top_builddir)/lib/libnbd.la
newstyle_limited_SOURCES = newstyle-limited.c
-newstyle_limited_CPPFLAGS = -I$(top_srcdir)/include
-newstyle_limited_CFLAGS = $(WARNINGS_CFLAGS)
newstyle_limited_LDADD = $(top_builddir)/lib/libnbd.la
opt_abort_SOURCES = opt-abort.c
-opt_abort_CPPFLAGS = -I$(top_srcdir)/include
-opt_abort_CFLAGS = $(WARNINGS_CFLAGS)
opt_abort_LDADD = $(top_builddir)/lib/libnbd.la
opt_list_SOURCES = opt-list.c
opt_list_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSCRIPT='"$(abs_srcdir)/opt-list.sh"' \
$(NULL)
-opt_list_CFLAGS = $(WARNINGS_CFLAGS)
opt_list_LDADD = $(top_builddir)/lib/libnbd.la
opt_info_SOURCES = opt-info.c
opt_info_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSCRIPT='"$(abs_srcdir)/opt-info.sh"' \
$(NULL)
-opt_info_CFLAGS = $(WARNINGS_CFLAGS)
opt_info_LDADD = $(top_builddir)/lib/libnbd.la
opt_list_meta_SOURCES = opt-list-meta.c
-opt_list_meta_CPPFLAGS = \
- -I$(top_srcdir)/include \
- $(NULL)
-opt_list_meta_CFLAGS = $(WARNINGS_CFLAGS)
opt_list_meta_LDADD = $(top_builddir)/lib/libnbd.la
connect_unix_SOURCES = connect-unix.c
-connect_unix_CPPFLAGS = -I$(top_srcdir)/include
-connect_unix_CFLAGS = $(WARNINGS_CFLAGS)
connect_unix_LDADD = $(top_builddir)/lib/libnbd.la
connect_tcp_SOURCES = connect-tcp.c
-connect_tcp_CPPFLAGS = -I$(top_srcdir)/include
-connect_tcp_CFLAGS = $(WARNINGS_CFLAGS)
connect_tcp_LDADD = $(top_builddir)/lib/libnbd.la
aio_parallel_SOURCES = aio-parallel.c
aio_parallel_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/common/include \
$(NULL)
-aio_parallel_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS)
aio_parallel_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS)
aio_parallel_load_SOURCES = aio-parallel-load.c
-aio_parallel_load_CPPFLAGS = -I$(top_srcdir)/include
-aio_parallel_load_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS)
aio_parallel_load_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS)
synch_parallel_SOURCES = synch-parallel.c
synch_parallel_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/common/include \
$(NULL)
-synch_parallel_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS)
+synch_parallel_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS)
synch_parallel_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS)
meta_base_allocation_SOURCES = meta-base-allocation.c
-meta_base_allocation_CPPFLAGS = -I$(top_srcdir)/include
-meta_base_allocation_CFLAGS = $(WARNINGS_CFLAGS)
meta_base_allocation_LDADD = $(top_builddir)/lib/libnbd.la
closure_lifetimes_SOURCES = closure-lifetimes.c
-closure_lifetimes_CPPFLAGS = -I$(top_srcdir)/include
-closure_lifetimes_CFLAGS = $(WARNINGS_CFLAGS)
closure_lifetimes_LDADD = $(top_builddir)/lib/libnbd.la
#----------------------------------------------------------------------
@@ -470,8 +430,10 @@ check_DATA += pki/stamp-pki
TESTS += connect-tls-certs
connect_tls_certs_SOURCES = connect-tls.c
-connect_tls_certs_CPPFLAGS = -I$(top_srcdir)/include -DCERTS=1
-connect_tls_certs_CFLAGS = $(WARNINGS_CFLAGS)
+connect_tls_certs_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DCERTS=1 \
+ $(NULL)
connect_tls_certs_LDADD = $(top_builddir)/lib/libnbd.la
pki/stamp-pki: $(srcdir)/make-pki.sh
@@ -499,31 +461,36 @@ TESTS += \
check_DATA += keys.psk
connect_tls_psk_SOURCES = connect-tls.c
-connect_tls_psk_CPPFLAGS = -I$(top_srcdir)/include -DPSK=1
-connect_tls_psk_CFLAGS = $(WARNINGS_CFLAGS)
+connect_tls_psk_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DPSK=1 \
+ $(NULL)
connect_tls_psk_LDADD = $(top_builddir)/lib/libnbd.la
aio_parallel_tls_SOURCES = aio-parallel.c
aio_parallel_tls_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/common/include \
-DTLS=1 \
$(NULL)
-aio_parallel_tls_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS)
+aio_parallel_tls_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS)
aio_parallel_tls_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS)
aio_parallel_load_tls_SOURCES = aio-parallel-load.c
-aio_parallel_load_tls_CPPFLAGS = -I$(top_srcdir)/include -DTLS=1
-aio_parallel_load_tls_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS)
+aio_parallel_load_tls_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DTLS=1 \
+ $(NULL)
+aio_parallel_load_tls_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS)
aio_parallel_load_tls_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS)
synch_parallel_tls_SOURCES = synch-parallel.c
synch_parallel_tls_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-I$(top_srcdir)/common/include \
-DTLS=1 \
$(NULL)
-synch_parallel_tls_CFLAGS = $(WARNINGS_CFLAGS) $(PTHREAD_CFLAGS)
+synch_parallel_tls_CFLAGS = $(AM_CFLAGS) $(PTHREAD_CFLAGS)
synch_parallel_tls_LDADD = $(top_builddir)/lib/libnbd.la $(PTHREAD_LIBS)
keys.psk:
@@ -550,18 +517,19 @@ TESTS += \
RANDOM1 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))")
connect_uri_nbd_SOURCES = connect-uri.c
connect_uri_nbd_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER_PARAMS='"-p", "$(RANDOM1)"' \
-DPIDFILE='"connect-uri-nbd.pid"' \
- -DURI='"nbd://localhost:$(RANDOM1)/"'
-connect_uri_nbd_CFLAGS = $(WARNINGS_CFLAGS)
+ -DURI='"nbd://localhost:$(RANDOM1)/"' \
+ $(NULL)
+connect_uri_nbd_CFLAGS = $(AM_CFLAGS)
connect_uri_nbd_LDADD = $(top_builddir)/lib/libnbd.la
CONNECT_URI_NBD_UNIX_SOCKET := \
$(shell mktemp /tmp/connect-uri-nbd-unix-socket-XXXXXX)
connect_uri_nbd_unix_SOURCES = connect-uri.c
connect_uri_nbd_unix_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER_PARAMS='"-U", SOCKET' \
-DSOCKET='"$(CONNECT_URI_NBD_UNIX_SOCKET)"' \
-DPIDFILE='"connect-uri-nbd-unix.pid"' \
@@ -584,18 +552,18 @@ TESTS += \
RANDOM2 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))")
connect_uri_nbds_SOURCES = connect-uri.c
connect_uri_nbds_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-certificates=pki"' \
-DPIDFILE='"connect-uri-nbds.pid"' \
- -DURI='"nbds://localhost:$(RANDOM2)/"'
-connect_uri_nbds_CFLAGS = $(WARNINGS_CFLAGS)
+ -DURI='"nbds://localhost:$(RANDOM2)/"' \
+ $(NULL)
connect_uri_nbds_LDADD = $(top_builddir)/lib/libnbd.la
CONNECT_URI_NBDS_UNIX_SOCKET := \
$(shell mktemp /tmp/connect-uri-nbds-unix-socket-XXXXXX)
connect_uri_nbds_unix_SOURCES = connect-uri.c
connect_uri_nbds_unix_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER_PARAMS='"-U", SOCKET, "--tls=require", "--tls-certificates=pki"' \
-DSOCKET='"$(CONNECT_URI_NBDS_UNIX_SOCKET)"' \
-DPIDFILE='"connect-uri-nbds-unix.pid"' \
@@ -617,11 +585,11 @@ TESTS += \
RANDOM3 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))")
connect_uri_nbds_psk_SOURCES = connect-uri.c
connect_uri_nbds_psk_CPPFLAGS = \
- -I$(top_srcdir)/include \
+ $(AM_CPPFLAGS) \
-DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-psk=keys.psk"' \
-DPIDFILE='"connect-uri-nbds-psk.pid"' \
- -DURI='"nbds://alice@localhost:$(RANDOM3)/?tls-psk-file=keys.psk"'
-connect_uri_nbds_psk_CFLAGS = $(WARNINGS_CFLAGS)
+ -DURI='"nbds://alice@localhost:$(RANDOM3)/?tls-psk-file=keys.psk"' \
+ $(NULL)
connect_uri_nbds_psk_LDADD = $(top_builddir)/lib/libnbd.la
endif HAVE_PSKTOOL
--
2.43.0

View File

@ -0,0 +1,149 @@
From da628792ddf7a3d3cb8f8b770c7dbb9b9d67444b Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Sat, 24 Apr 2021 21:40:58 +0100
Subject: [PATCH] tests/connect-uri.c: Ensure Unix domain socket is cleaned up
on exit
Commit 70f83fed13 ("tests: Create test sockets in /tmp instead of
local directory.") aimed to create sockets with short path names in
/tmp. However it never cleaned them up. Worse still, every time the
Makefile was evaluated at all a temporary file was created.
Fix this properly in the C file.
Fixes: commit 70f83fed131c7e52b1a31a28d9acaf19f6c11d57
(cherry picked from commit f5955c4c5bb0269e192b906a3ef98601aa63ad59)
(cherry picked from commit 502f0b59ec1dbd64c6c64279316e03540258a54c)
---
tests/Makefile.am | 16 ++++++----------
tests/connect-uri.c | 45 +++++++++++++++++++++++++++++++++++++++------
2 files changed, 45 insertions(+), 16 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 436e1c10..ed5585a5 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -525,15 +525,13 @@ connect_uri_nbd_CPPFLAGS = \
connect_uri_nbd_CFLAGS = $(AM_CFLAGS)
connect_uri_nbd_LDADD = $(top_builddir)/lib/libnbd.la
-CONNECT_URI_NBD_UNIX_SOCKET := \
- $(shell mktemp /tmp/connect-uri-nbd-unix-socket-XXXXXX)
connect_uri_nbd_unix_SOURCES = connect-uri.c
connect_uri_nbd_unix_CPPFLAGS = \
$(AM_CPPFLAGS) \
- -DSERVER_PARAMS='"-U", SOCKET' \
- -DSOCKET='"$(CONNECT_URI_NBD_UNIX_SOCKET)"' \
+ -DNEEDS_UNIX_SOCKET=1 \
+ -DSERVER_PARAMS='"-U", UNIX_SOCKET' \
-DPIDFILE='"connect-uri-nbd-unix.pid"' \
- -DURI='"nbd+unix:///?socket=" SOCKET'
+ -DURI='"nbd+unix:///?socket="' # UNIX_SOCKET appended
connect_uri_nbd_unix_CFLAGS = $(WARNINGS_CFLAGS)
connect_uri_nbd_unix_LDADD = $(top_builddir)/lib/libnbd.la
@@ -559,15 +557,13 @@ connect_uri_nbds_CPPFLAGS = \
$(NULL)
connect_uri_nbds_LDADD = $(top_builddir)/lib/libnbd.la
-CONNECT_URI_NBDS_UNIX_SOCKET := \
- $(shell mktemp /tmp/connect-uri-nbds-unix-socket-XXXXXX)
connect_uri_nbds_unix_SOURCES = connect-uri.c
connect_uri_nbds_unix_CPPFLAGS = \
$(AM_CPPFLAGS) \
- -DSERVER_PARAMS='"-U", SOCKET, "--tls=require", "--tls-certificates=pki"' \
- -DSOCKET='"$(CONNECT_URI_NBDS_UNIX_SOCKET)"' \
+ -DNEEDS_UNIX_SOCKET=1 \
+ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-certificates=pki"' \
-DPIDFILE='"connect-uri-nbds-unix.pid"' \
- -DURI='"nbds+unix:///?socket=" SOCKET'
+ -DURI='"nbds+unix:///?socket="' # UNIX_SOCKET appended
connect_uri_nbds_unix_CFLAGS = $(WARNINGS_CFLAGS)
connect_uri_nbds_unix_LDADD = $(top_builddir)/lib/libnbd.la
diff --git a/tests/connect-uri.c b/tests/connect-uri.c
index 6e7d1685..ce9e4d9b 100644
--- a/tests/connect-uri.c
+++ b/tests/connect-uri.c
@@ -29,16 +29,49 @@
#include <libnbd.h>
+#ifdef NEEDS_UNIX_SOCKET
+#define UNIX_SOCKET tmp
+static char tmp[] = "/tmp/nbdXXXXXX";
+
+static void
+unlink_unix_socket (void)
+{
+ unlink (UNIX_SOCKET);
+}
+#endif /* NEEDS_UNIX_SOCKET */
+
int
main (int argc, char *argv[])
{
struct nbd_handle *nbd;
pid_t pid;
size_t i;
+#ifdef NEEDS_UNIX_SOCKET
+ char *uri;
+#else
+ const char *uri = URI;
+#endif
+
+#ifdef NEEDS_UNIX_SOCKET
+ int fd = mkstemp (UNIX_SOCKET);
+ if (fd == -1 ||
+ close (fd) == -1) {
+ perror (UNIX_SOCKET);
+ exit (EXIT_FAILURE);
+ }
+ /* We have to remove the temporary file first, since we will create
+ * a socket in its place, and ensure the socket is removed on exit.
+ */
+ unlink_unix_socket ();
+ atexit (unlink_unix_socket);
-#ifdef SOCKET
- unlink (SOCKET);
+ /* uri = URI + UNIX_SOCKET */
+ if (asprintf (&uri, "%s%s", URI, UNIX_SOCKET) == -1) {
+ perror ("asprintf");
+ exit (EXIT_FAILURE);
+ }
#endif
+
unlink (PIDFILE);
pid = fork ();
@@ -75,13 +108,13 @@ main (int argc, char *argv[])
nbd_set_uri_allow_local_file (nbd, true);
- if (nbd_connect_uri (nbd, URI) == -1) {
+ if (nbd_connect_uri (nbd, uri) == -1) {
fprintf (stderr, "%s\n", nbd_get_error ());
exit (EXIT_FAILURE);
}
/* Check we negotiated the right kind of connection. */
- if (strncmp (URI, "nbds", 4) == 0) {
+ if (strncmp (uri, "nbds", 4) == 0) {
if (! nbd_get_tls_negotiated (nbd)) {
fprintf (stderr, "%s: failed to negotiate a TLS connection\n",
argv[0]);
@@ -95,8 +128,8 @@ main (int argc, char *argv[])
}
nbd_close (nbd);
-#ifdef SOCKET
- unlink (SOCKET);
+#ifdef NEEDS_UNIX_SOCKET
+ free (uri);
#endif
exit (EXIT_SUCCESS);
}
--
2.43.0

View File

@ -0,0 +1,194 @@
From ee3f88640062372d04406da321270a775377eb6c Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Fri, 3 Sep 2021 08:42:31 +0100
Subject: [PATCH] lib: Allow tls-certificates=<DIR> query parameter in URIs
For nbd_connect_uri, this allows a non-default path to a certificates
directory to be specified. For example:
nbds+unix://user@/?socket=/tmp/sock&tls-certificates=tests/pki
nbd_get_uri is also extended to produce the tls-certificates query
field if nbd_set_tls_certificates was called.
The main work here is extending the test suite so it actually tests
TLS URIs properly. Firstly we need to add --tls-verify-peer to the
nbdkit command line so it checks TLS client credentials at all
(previously it enabled TLS but didn't verify the client). Then we
need to add tests which use TLS certificates (previously only PSK was
being tested). And finally I loosened the rules for comparing URIs
since the order that query strings are returned by nbd_get_uri is not
necessarily the same as the query strings in nbd_connect_uri.
(cherry picked from commit 847e0b9830f6a9f07b4c242e1a500cd2b90cca5a)
(cherry picked from commit 5e85582ec79460c95552f06c6d6c41d15dae092f)
---
.gitignore | 5 +++--
generator/API.ml | 10 ++++++++++
lib/uri.c | 14 ++++++++++++--
tests/Makefile.am | 47 +++++++++++++++++++++++++++++------------------
4 files changed, 54 insertions(+), 22 deletions(-)
diff --git a/.gitignore b/.gitignore
index 4935b81b..c974e27b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -167,9 +167,10 @@ Makefile.in
/tests/connect-unix
/tests/connect-uri-nbd
/tests/connect-uri-nbd-unix
-/tests/connect-uri-nbds
+/tests/connect-uri-nbds-certs
/tests/connect-uri-nbds-psk
-/tests/connect-uri-nbds-unix
+/tests/connect-uri-nbds-unix-certs
+/tests/connect-uri-nbds-unix-psk
/tests/debug
/tests/debug-environment
/tests/errors
diff --git a/generator/API.ml b/generator/API.ml
index a46c6407..4b2a62e8 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -1231,6 +1231,11 @@ Connect over the Unix domain socket F</tmp/nbd.sock> to
an NBD server running locally. The export name is set to C<foo>
(note without any leading C</> character).
+=item C<nbds+unix://alice@/?socket=/tmp/nbd.sock&tls-certificates=certs>
+
+Connect over a Unix domain socket, enabling TLS and setting the
+path to a directory containing certificates and keys.
+
=item C<nbd+vsock:///>
In this scenario libnbd is running in a virtual machine. Connect
@@ -1291,6 +1296,11 @@ Specifies the Unix domain socket to connect on.
Must be present for the C<+unix> transport and must not
be present for the other transports.
+=item B<tls-certificates=>F<DIR>
+
+Set the certificates directory. See L<nbd_set_tls_certificates(3)>.
+Note this is not allowed by default - see next section.
+
=item B<tls-psk-file=>F<PSKFILE>
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
diff --git a/lib/uri.c b/lib/uri.c
index 9f5a2901..c8d9041e 100644
--- a/lib/uri.c
+++ b/lib/uri.c
@@ -249,9 +249,19 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
if (tls && nbd_unlocked_set_tls (h, LIBNBD_TLS_REQUIRE) == -1)
goto cleanup;
- /* Look for some tls-* parameters. XXX More to come. */
+ /* Look for some tls-* parameters. */
for (i = 0; i < queries.size; i++) {
- if (strcmp (queries.ptr[i].name, "tls-psk-file") == 0) {
+ if (strcmp (queries.ptr[i].name, "tls-certificates") == 0) {
+ if (! h->uri_allow_local_file) {
+ set_error (EPERM,
+ "local file access (tls-certificates) is not allowed, "
+ "call nbd_set_uri_allow_local_file to enable this");
+ goto cleanup;
+ }
+ if (nbd_unlocked_set_tls_certificates (h, queries.ptr[i].value) == -1)
+ goto cleanup;
+ }
+ else if (strcmp (queries.ptr[i].name, "tls-psk-file") == 0) {
if (! h->uri_allow_local_file) {
set_error (EPERM,
"local file access (tls-psk-file) is not allowed, "
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ed5585a5..3c33b747 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -539,33 +539,32 @@ if HAVE_GNUTLS
if HAVE_CERTTOOL
check_PROGRAMS += \
- connect-uri-nbds \
- connect-uri-nbds-unix \
+ connect-uri-nbds-certs \
+ connect-uri-nbds-unix-certs \
$(NULL)
TESTS += \
- connect-uri-nbds \
- connect-uri-nbds-unix \
+ connect-uri-nbds-certs \
+ connect-uri-nbds-unix-certs \
$(NULL)
RANDOM2 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))")
-connect_uri_nbds_SOURCES = connect-uri.c
-connect_uri_nbds_CPPFLAGS = \
+connect_uri_nbds_certs_SOURCES = connect-uri.c
+connect_uri_nbds_certs_CPPFLAGS = \
$(AM_CPPFLAGS) \
- -DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-certificates=pki"' \
- -DPIDFILE='"connect-uri-nbds.pid"' \
- -DURI='"nbds://localhost:$(RANDOM2)/"' \
+ -DSERVER_PARAMS='"-p", "$(RANDOM2)", "--tls=require", "--tls-verify-peer", "--tls-certificates=pki"' \
+ -DPIDFILE='"connect-uri-nbds-certs.pid"' \
+ -DURI='"nbds://localhost:$(RANDOM2)/?tls-certificates=pki"' \
$(NULL)
-connect_uri_nbds_LDADD = $(top_builddir)/lib/libnbd.la
+connect_uri_nbds_certs_LDADD = $(top_builddir)/lib/libnbd.la
-connect_uri_nbds_unix_SOURCES = connect-uri.c
-connect_uri_nbds_unix_CPPFLAGS = \
+connect_uri_nbds_unix_certs_SOURCES = connect-uri.c
+connect_uri_nbds_unix_certs_CPPFLAGS = \
$(AM_CPPFLAGS) \
-DNEEDS_UNIX_SOCKET=1 \
- -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-certificates=pki"' \
- -DPIDFILE='"connect-uri-nbds-unix.pid"' \
- -DURI='"nbds+unix:///?socket="' # UNIX_SOCKET appended
-connect_uri_nbds_unix_CFLAGS = $(WARNINGS_CFLAGS)
-connect_uri_nbds_unix_LDADD = $(top_builddir)/lib/libnbd.la
+ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-verify-peer", "--tls-certificates=pki"' \
+ -DPIDFILE='"connect-uri-nbds-unix-certs.pid"' \
+ -DURI='"nbds+unix://alice@/?tls-certificates=pki&socket="' # UNIX_SOCKET appended
+connect_uri_nbds_unix_certs_LDADD = $(top_builddir)/lib/libnbd.la
endif HAVE_CERTTOOL
@@ -573,21 +572,33 @@ if HAVE_PSKTOOL
check_PROGRAMS += \
connect-uri-nbds-psk \
+ connect-uri-nbds-unix-psk \
$(NULL)
TESTS += \
connect-uri-nbds-psk \
+ connect-uri-nbds-unix-psk \
$(NULL)
RANDOM3 := $(shell bash -c "echo $$(( 32768 + (RANDOM & 16383) ))")
connect_uri_nbds_psk_SOURCES = connect-uri.c
connect_uri_nbds_psk_CPPFLAGS = \
$(AM_CPPFLAGS) \
- -DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-psk=keys.psk"' \
+ -DSERVER_PARAMS='"-p", "$(RANDOM3)", "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \
-DPIDFILE='"connect-uri-nbds-psk.pid"' \
-DURI='"nbds://alice@localhost:$(RANDOM3)/?tls-psk-file=keys.psk"' \
$(NULL)
connect_uri_nbds_psk_LDADD = $(top_builddir)/lib/libnbd.la
+connect_uri_nbds_unix_psk_SOURCES = connect-uri.c
+connect_uri_nbds_unix_psk_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DNEEDS_UNIX_SOCKET=1 \
+ -DSERVER_PARAMS='"-U", UNIX_SOCKET, "--tls=require", "--tls-verify-peer", "--tls-psk=keys.psk"' \
+ -DPIDFILE='"connect-uri-nbds-unix-psk.pid"' \
+ -DURI='"nbds+unix://alice@/?tls-psk-file=keys.psk&socket="' # UNIX_SOCKET appended \
+ $(NULL)
+connect_uri_nbds_unix_psk_LDADD = $(top_builddir)/lib/libnbd.la
+
endif HAVE_PSKTOOL
endif HAVE_GNUTLS
--
2.43.0

View File

@ -0,0 +1,33 @@
From 10ca0d72932092b09475893de233f17d3eff8a72 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 4 Aug 2022 13:28:25 +0100
Subject: [PATCH] tests/make-pki.sh: Use Subject Alternative Name for server
certificate
This allows us to test this feature.
(cherry picked from nbdkit commit 0c50bef16f9d6705add8db85c7ea7b4523770fba)
(cherry picked from commit 38eabf6df05fae109212a4ce9afc9c0fe63c2f0e)
(cherry picked from commit b07898e1ee70b0641ec5233d6e8f7fa16b63c287)
---
tests/make-pki.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/make-pki.sh b/tests/make-pki.sh
index d4f61204..03f4faa1 100755
--- a/tests/make-pki.sh
+++ b/tests/make-pki.sh
@@ -75,6 +75,9 @@ chmod 0600 $1/server-key.pem
cat > $1/server.info <<EOF
organization = Test
cn = localhost
+dns_name = localhost
+ip_address = 127.0.0.1
+ip_address = ::1
tls_www_server
encryption_key
signing_key
--
2.43.0

View File

@ -0,0 +1,57 @@
From dab43717f183cf96fcda6a0be22c39801dcfda83 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 10:48:12 +0100
Subject: [PATCH] lib/crypto.c: Check server certificate even when using system
CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The previous code checked the server certificate only when a custom
certificate directory was set (ie. nbd_set_tls_certificates /
?tls-certificates=DIR). In the fallback case where we use the system
CA, we never called gnutls_session_set_verify_cert and so the server
certificate was never checked.
Move the call to gnutls_session_set_verify_cert later so it is called
on both paths.
If the server certificate does not match the hostname you will see:
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 87ef41b69929d5d293390ec36b1c10aba2c9a57a)
(cherry picked from commit 81bd57bb8ab0b142207efb9f69a233418fbb4f8f)
---
lib/crypto.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/crypto.c b/lib/crypto.c
index 705e114a..4c398b03 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -513,9 +513,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
return NULL;
found_certificates:
- if (h->hostname && h->tls_verify_peer)
- gnutls_session_set_verify_cert (session, h->hostname, 0);
-
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
if (err < 0) {
set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
@@ -625,6 +622,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
gnutls_deinit (session);
return NULL;
}
+
+ if (h->hostname && h->tls_verify_peer)
+ gnutls_session_set_verify_cert (session, h->hostname, 0);
}
/* Wrap the underlying socket with GnuTLS. */
--
2.43.0

View File

@ -0,0 +1,76 @@
From 17dc75c8235af7126b3820d5e0be3488efe74671 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 10:31:10 +0100
Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is
not set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Calling gnutls_session_set_verify_cert with the hostname parameter set
to NULL is permitted:
https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert
It means that the server's hostname in the certificate will not be
verified but we can at least check that the certificate was signed by
the CA. This allows the CA to be checked even for connections over
Unix domain sockets.
Example:
$ rm -f /tmp/sock
$ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &
Before this change:
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
protocol: newstyle-fixed with TLS, using structured packets
export="":
export-size: 1073741824 (1G)
content: data
uri: nbds+unix:///?socket=/tmp/sock
[etc]
(works because it never called gnutls_session_set_verify_cert).
After this change:
$ nbdinfo 'nbds+unix://?socket=/tmp/sock'
nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
(fails because system CA does not know about nbdkit's certificate
which is signed by the CA from the nbdkit/tests/pki directory)
$ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'
protocol: newstyle-fixed with TLS, using structured packets
export="":
export-size: 1073741824 (1G)
content: data
uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki
[etc]
(works because we supplied the correct CA)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6ed47a27d14f6f11946bb096d94e5bf21d97083d)
(cherry picked from commit 42ee6d8dd919b241b1f1510f5759673b26fc9731)
---
lib/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/crypto.c b/lib/crypto.c
index 4c398b03..a5177bbb 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -623,7 +623,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
return NULL;
}
- if (h->hostname && h->tls_verify_peer)
+ if (h->tls_verify_peer)
gnutls_session_set_verify_cert (session, h->hostname, 0);
}
--
2.43.0

View File

@ -0,0 +1,90 @@
From 1f82b6d2d894bf567926f4ae52f4362654db8f38 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 11:12:56 +0100
Subject: [PATCH] lib/uri.c: Allow tls-verify-peer to be overridden in URIs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Older versions of libnbd didn't always check the server certificate.
Since some clients might be depending on this, allow
?tls-verify-peer=false in URIs to skip this check.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 75641c6b30155abce272f60cf3518a65654aa401)
(cherry picked from commit caad9cfb5dda0957c4b15cc85738a4c6ac856e8b)
(cherry picked from commit 4bfc3176de535350f884732b8793574e37714d2a)
---
generator/API.ml | 5 +++++
lib/uri.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+)
diff --git a/generator/API.ml b/generator/API.ml
index 4b2a62e8..69ee428d 100644
--- a/generator/API.ml
+++ b/generator/API.ml
@@ -1306,6 +1306,11 @@ Note this is not allowed by default - see next section.
Set the PSK file. See L<nbd_set_tls_psk_file(3)>. Note
this is not allowed by default - see next section.
+=item B<tls-verify-peer=false>
+
+Do not verify the server certificate. See L<nbd_set_tls_verify_peer(3)>.
+The default is C<true>.
+
=back
=head2 Disable URI features
diff --git a/lib/uri.c b/lib/uri.c
index c8d9041e..8dfefd00 100644
--- a/lib/uri.c
+++ b/lib/uri.c
@@ -140,6 +140,31 @@ error:
return -1;
}
+/* Similar to nbdkit_parse_bool */
+int
+parse_bool (const char *param, const char *value)
+{
+ if (!strcmp (value, "1") ||
+ !strcasecmp (value, "true") ||
+ !strcasecmp (value, "t") ||
+ !strcasecmp (value, "yes") ||
+ !strcasecmp (value, "y") ||
+ !strcasecmp (value, "on"))
+ return 1;
+
+ if (!strcmp (value, "0") ||
+ !strcasecmp (value, "false") ||
+ !strcasecmp (value, "f") ||
+ !strcasecmp (value, "no") ||
+ !strcasecmp (value, "n") ||
+ !strcasecmp (value, "off"))
+ return 0;
+
+ set_error (EINVAL, "could not parse %s parameter, expecting %s=true|false",
+ param, param);
+ return -1;
+}
+
int
nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
{
@@ -271,6 +296,13 @@ nbd_unlocked_aio_connect_uri (struct nbd_handle *h, const char *raw_uri)
if (nbd_unlocked_set_tls_psk_file (h, queries.ptr[i].value) == -1)
goto cleanup;
}
+ else if (strcasecmp (queries.ptr[i].name, "tls-verify-peer") == 0) {
+ int v = parse_bool ("tls-verify-peer", queries.ptr[i].value);
+ if (v == -1)
+ goto cleanup;
+ if (nbd_unlocked_set_tls_verify_peer (h, v) == -1)
+ goto cleanup;
+ }
}
/* Username. */
--
2.43.0

View File

@ -0,0 +1,32 @@
From 437d3aedd5ecbcb8d5234665015c5813a6ca1712 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 17:53:47 +0100
Subject: [PATCH] docs: security: Add link to TLS server certificate checking
announcement
(cherry picked from commit 9c723aa660c6ee7d224afbfc16eb7450d21fb9cf)
(cherry picked from commit 9b77d853d82c291f74b51305d58e9db7f555a254)
(cherry picked from commit b477be4ed47daa6ba73c176ae8b0288ec8e84f23)
---
docs/libnbd-security.pod | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
index 0cae8462..b31f3f8b 100644
--- a/docs/libnbd-security.pod
+++ b/docs/libnbd-security.pod
@@ -28,6 +28,11 @@ denial of service when using L<nbd_set_opt_mode(3)>
See the full announcement here:
L<https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html>
+=head2 multiple flaws in TLS server certificate checking
+
+See the full announcement here:
+L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
+
=head1 SEE ALSO
L<libnbd(3)>.
--
2.43.0

View File

@ -0,0 +1,34 @@
From 626331d88fdf8ed87dc066faeb836fc5926f5420 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 1 Aug 2024 15:17:29 +0100
Subject: [PATCH] docs/libnbd-security.pod: Assign CVE-2024-7383
CVE-2024-7383 was assigned to the (already published & fixed) flaws
found in libnbd certificate checking.
Reported-by: Jon Szymaniak
Thanks: Mauro Matteo Cascella
(cherry picked from commit 81a22ac6697ccdeb13509aba3072609251d1378b)
(cherry picked from commit 599281af594db8414d856db409846b04fce03824)
(cherry picked from commit 8f7dce2b6d6716f9eec0f352a3c420ae84a84be9)
---
docs/libnbd-security.pod | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/docs/libnbd-security.pod b/docs/libnbd-security.pod
index b31f3f8b..4c3b5bbd 100644
--- a/docs/libnbd-security.pod
+++ b/docs/libnbd-security.pod
@@ -28,7 +28,8 @@ denial of service when using L<nbd_set_opt_mode(3)>
See the full announcement here:
L<https://listman.redhat.com/archives/libguestfs/2021-March/msg00092.html>
-=head2 multiple flaws in TLS server certificate checking
+=head2 CVE-2024-7383
+multiple flaws in TLS server certificate checking
See the full announcement here:
L<https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2/>
--
2.43.0

View File

@ -6,7 +6,7 @@ set -e
# directory. Use it like this:
# ./copy-patches.sh
rhel_version=8.6
rhel_version=8.10
# Check we're in the right directory.
if [ ! -f libnbd.spec ]; then

View File

@ -9,7 +9,7 @@
Name: libnbd
Version: 1.6.0
Release: 5%{?dist}
Release: 6%{?dist}
Summary: NBD client library in userspace
License: LGPLv2+
@ -26,7 +26,7 @@ Source2: libguestfs.keyring
Source3: copy-patches.sh
# Patches come from this upstream branch:
# https://github.com/libguestfs/libnbd/tree/rhel-8.6
# https://github.com/libguestfs/libnbd/tree/rhel-8.10
# Patches.
Patch0001: 0001-copy-copy-nbd-to-sparse-file.sh-Skip-test-unless-nbd.patch
@ -36,6 +36,16 @@ Patch0004: 0004-opt_go-Tolerate-unplanned-server-death.patch
Patch0005: 0005-security-Document-assignment-of-CVE-2021-20286.patch
Patch0006: 0006-copy-Pass-in-dummy-variable-rather-than-errno-to-cal.patch
Patch0007: 0007-copy-CVE-2022-0485-Fail-nbdcopy-if-NBD-read-or-write.patch
Patch0008: 0008-build-Move-to-minimum-gnutls-3.5.18.patch
Patch0009: 0009-tests-Factor-out-some-common-Makefile-flags.patch
Patch0010: 0010-tests-connect-uri.c-Ensure-Unix-domain-socket-is-cle.patch
Patch0011: 0011-lib-Allow-tls-certificates-DIR-query-parameter-in-UR.patch
Patch0012: 0012-tests-make-pki.sh-Use-Subject-Alternative-Name-for-s.patch
Patch0013: 0013-lib-crypto.c-Check-server-certificate-even-when-usin.patch
Patch0014: 0014-lib-crypto.c-Allow-CA-verification-even-if-h-hostnam.patch
Patch0015: 0015-lib-uri.c-Allow-tls-verify-peer-to-be-overridden-in-.patch
Patch0016: 0016-docs-security-Add-link-to-TLS-server-certificate-che.patch
Patch0017: 0017-docs-libnbd-security.pod-Assign-CVE-2024-7383.patch
%if 0%{patches_touch_autotools}
BuildRequires: autoconf, automake, libtool
@ -312,6 +322,10 @@ make %{?_smp_mflags} check || {
%changelog
* Tue Aug 27 2024 Richard W.M. Jones <rjones@redhat.com> - 1.6.0-6.el8
- Fix CVE-2024-7383 NBD server improper certificate validation
resolves: RHEL-52728
* Mon Feb 7 2022 Richard W.M. Jones <rjones@redhat.com> - 1.6.0-5.el8
- Fix CVE-2022-0485: Fail nbdcopy if NBD read or write fails
resolves: rhbz#2045718