libnbd/SOURCES/0009-interop-Test-interop-with-a-bad-system-CA.patch

85 lines
2.9 KiB
Diff

From c20ac23a9a3673cca863974ec53f9129392fd447 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 24 Jun 2024 11:39:01 +0100
Subject: [PATCH] interop: Test interop with a bad system CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is expected to fail now.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c7db8f3337632f0395dac9b13cf03b100cf1a4a)
(cherry picked from commit cb3519eeefa788b8fef466bf9394eefa9d6a6c18)
---
.gitignore | 1 +
interop/Makefile.am | 26 ++++++++++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/.gitignore b/.gitignore
index 0b1cf764..597043e1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -113,6 +113,7 @@ Makefile.in
/interop/interop-nbdkit-tls-certs
/interop/interop-nbdkit-tls-certs-allow-enabled
/interop/interop-nbdkit-tls-certs-allow-fallback
+/interop/interop-nbdkit-tls-certs-bad-CA
/interop/interop-nbdkit-tls-psk
/interop/interop-nbdkit-tls-psk-allow-enabled
/interop/interop-nbdkit-tls-psk-allow-fallback
diff --git a/interop/Makefile.am b/interop/Makefile.am
index 4cdc55e9..bc974b99 100644
--- a/interop/Makefile.am
+++ b/interop/Makefile.am
@@ -281,6 +281,7 @@ check_PROGRAMS += \
interop-nbdkit-tls-certs \
interop-nbdkit-tls-certs-allow-enabled \
interop-nbdkit-tls-certs-allow-fallback \
+ interop-nbdkit-tls-certs-bad-CA \
interop-nbdkit-tls-psk \
interop-nbdkit-tls-psk-allow-enabled \
interop-nbdkit-tls-psk-allow-fallback \
@@ -292,6 +293,7 @@ TESTS += \
interop-nbdkit-tls-certs \
interop-nbdkit-tls-certs-allow-enabled \
interop-nbdkit-tls-certs-allow-fallback \
+ interop-nbdkit-tls-certs-bad-CA \
interop-nbdkit-tls-psk \
interop-nbdkit-tls-psk-allow-enabled \
interop-nbdkit-tls-psk-allow-fallback \
@@ -370,6 +372,30 @@ interop_nbdkit_tls_certs_allow_fallback_LDADD = \
$(GNUTLS_LIBS) \
$(NULL)
+# In this test, nbdkit offers a server certificate signed by our CA in
+# the tests/pki directory, but we deliberately tell libnbd to test
+# against the system CA (-DCERTS=NULL). This is expected to fail the
+# connection with the error:
+# libnbd: debug: nbd1: nbd_connect_command: handle dead: nbd_connect_command: gnutls_handshake: Error in the certificate verification. (15/1)
+interop_nbdkit_tls_certs_bad_CA_SOURCES = \
+ interop.c \
+ requires.c \
+ ../tests/requires.h \
+ $(NULL)
+interop_nbdkit_tls_certs_bad_CA_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ -DREQUIRES=' requires ("test -d ../tests/pki"); ' \
+ -DSERVER=\"$(NBDKIT)\" \
+ -DSERVER_PARAMS='"--tls=require", "--tls-certificates=../tests/pki", "-s", "--exit-with-parent", "null"' \
+ -DCERTS=NULL \
+ -DTLS_MODE=LIBNBD_TLS_REQUIRE \
+ -DEXPECT_FAIL=1 \
+ $(NULL)
+interop_nbdkit_tls_certs_bad_CA_LDADD = \
+ $(top_builddir)/lib/libnbd.la \
+ $(GNUTLS_LIBS) \
+ $(NULL)
+
interop_nbdkit_tls_psk_SOURCES = \
interop.c \
requires.c \
--
2.43.0